Is my understanding correct that if a trap comes in, you would like to get the values of all parameters, write the trap to the log, and suppress traps with the *same* set of parameter values for 5 minutes? And if a trap with the same father ID comes in, but some of the parameter values are different, it will be written to the log again and another suppression operation is started? Is it also correct that for each trap type (OID) the number of parameters is always the same? Finally, is it correct that your input lines for SEC look something like this: <fatherOID> <OID1>=<value1> <OID2>=<value2> ... <OIDN>=<valueN>
If all these conditions hold, you might try the approach below. Suppose that the father OID (I assume it identifies the trap uniquely?) is 1.2.3. Also suppose that for trap 1.2.3 you know that it has always 3 parameters. Then the pattern for fetching the parameter values could look like follows: pattern=1\.2\.3 [\d.]=(\S+) [\d.]=(\S+) [\d.]=(\S+) and the rule could be defined in the following way: type=SingleWithSuppress ptype=RegExp pattern=1\.2\.3 [\d.]=(\S+) [\d.]=(\S+) [\d.]=(\S+) desc=estado $1 $2 $3 action=shellcmd /home/javier/send.sh window=300 If you are using the colon (:) as a delimiter instead of the equal sign (=), simply replace all '=' symbols with ':' in the regular expression. I hope that I have understood correctly the thing you want to do, and I hope the above approach cracks the problem. BR, risto On 06/01/2010 06:44 PM, Javier wrote: > Risto, > > i have several logs with snmptt, and here is the raw output of two of > them hiding some private data between <>: > > snmptt.log: > > Wed May 26 13:12:30 2010 <"father" OID> Normal "Status Events" <IP> - > Data notification > organization default_organization > channel default_channel > number 666111222 > serviceconf GPRS > dirip 87.172.15.19 > ...and 20 parameters more > > snmptthandler.debug: > > .1.3.6.1.6.3.18.1.4.0 private > <"father" OID>.1.1.1.1.1 1 > <"father" OID>.1.1.1.2.1 "default_organization" > <"father" OID>.1.1.1.1.2 2 > <"father" OID>.1.1.1.2.2 "default_channel" > <"father" OID>.1.1.1.1.3 3 > <"father" OID>.1.1.1.2.3 "666111222" > <"father" OID>.1.1.1.1.4 4 > <"father" OID>.1.1.1.2.4 "GPRS" > <"father" OID>.1.1.1.1.5 5 > <"father" OID>.1.1.1.2.5 "87.172.15.19" > <"father" OID>.1.1.1.1.6 6 > ...and 20 parameters more > > I know its a little bit weird present this data in this way, but i need > to preserve the enterprise OID. Anyway i think it´s enough, isn´t it?. I > hope you can help me. > > I´m still thinking that Contexts it could be a good idea, but i don´t > know how to do it. > > > thanks > > > > > > > > 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee > <mailto:risto.vaara...@seb.ee>> > > On 06/01/2010 12:23 PM, Javier wrote: > > Risto, > > > > ok, but imagine this: my traps have 20 fixed parameters common to all > > kind of traps. Each trap of those three, have their own parameters > > values, so, how can i process all of them?, i guess with the "father" > > OID like this: > > > > pattern=<generic "father" OID>[\d.]=(\S+) ... 1.3.8.6.[\d.]=(\S+) > > > > or maybe > > > > pattern=<generic "father" OID>\[(\d+)\]:(\S+) ... > 1.3.8.6.\[(\d+)\]:(\S+) > > > > which one ?? > > Hmmm, it's hard to provide any precise suggestions on regular > expressions, since I don't know what your input exactly looks like and > what exactly you would like to suppress. > If you could provide precise examples of the input with a precise > problem statement, it would be much easier to help. > BR, > risto > > > > > And I still haven't clear how to do this rule and how to save the > data > > to compare with the previous values. > > please, Any idea? > > > > thanks > > > > 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee > <mailto:risto.vaara...@seb.ee> > > <mailto:risto.vaara...@seb.ee <mailto:risto.vaara...@seb.ee>>> > > > > On 06/01/2010 11:31 AM, Javier wrote: > > > Risto, > > > > > > yes, you´re right. I receive 3 different traps but from 3 different > > > generic OID's but that´s not important. For example > > > > > > <generic OID1> .1.2.3 A C > > > <generic OID2> .1.2.3 A D > > > <generic OID3> .1.2.3 B D > > > > > > and each one of them, brings the raw data: > > > > > > <generic OID1> .1.2.3 ="OK" > > > <generic OID1> .1.2.3.5="234234" > > > <generic OID1> .1.2.3.6.7="UP" > > > > > > As you can see, some of them have more numbers in the OID, so how > > can i > > > process all of them independently of the amount of numbers in the > > OID?. > > > If is it not easily acomplished anyway, i guess i can receive the > > > relevant data from the same amount of numbers in the OID. > > > > it should be fairly easy to write a regular expression that > handles the > > variable amount of numbers. For example, [\d.]+=(\S+) matches any > > sequence of numbers and dots that is followed by '=', and it also > > assigns the value that follows '=' to a variable $1. > > > > > > > > What about to use Context to save every value from every > parameter of > > > the trap and when its a data change, write it in another log? > (maybe > > > that perl script in > > http://snmptt.sourceforge.net/docs/snmptt.shtml#SEC > > > to trap back). Is it possible??. > > > > Indeed, you could use contexts for memorizing event > correlation state, > > but I'd recommend to take advantage of the 'desc' field of a > rule. > > > > BR, > > risto > > > > > > > > > > > Thank you very much > > > > > > > > > 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee > <mailto:risto.vaara...@seb.ee> > > <mailto:risto.vaara...@seb.ee <mailto:risto.vaara...@seb.ee>> > > > <mailto:risto.vaara...@seb.ee <mailto:risto.vaara...@seb.ee> > <mailto:risto.vaara...@seb.ee <mailto:risto.vaara...@seb.ee>>>> > > > > > > Javier, > > > > > > if each trap has several parameters that can have different > > values, and > > > you want to correlate events with the *same* set of values, > > this can be > > > easily accomplished by setting the 'desc' parameter > accordingly. > > > > > > Suppose that the trap with OID .1.2.3 can have two parameters: > > > > > > <generic OID> .1.2.3 A C > > > <generic OID> .1.2.3 A D > > > <generic OID> .1.2.3 B D > > > > > > With this example, it is obvious that the following rule will > > react only > > > to the first trap: > > > > > > type=SingleWithSuppress > > > ptype=RegExp > > > pattern=<generic OID> (\S+) > > > desc=estado $1 > > > action=shellcmd /home/javier/send.sh > > > window=300 > > > > > > However, if you rewrite the rule as follows, each trap .1.2.3 > > with a > > > *different* set of parameter values will be correlated by a > > different > > > event correlation operation (in other words, if a trap with a > > new set of > > > parameter values comes in, it is written to the log and then > > suppressed > > > for 5 minutes): > > > > > > type=SingleWithSuppress > > > ptype=RegExp > > > pattern=<generic OID> (\S+) (\S+) (\S+) > > > desc=estado $1 $2 $3 > > > action=shellcmd /home/javier/send.sh > > > window=300 > > > > > > The key to the solution is to define the 'desc' parameter > > correctly, > > > since 'desc' defines the scope of event correlation > > operations. Similar > > > question has been asked many times in this list before, and > > since this > > > is one of the fundamentals of SEC, please have a look at the > > relevant > > > section of the man page: > > > http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV > > > This section explains the relation between rules and event > > correlation > > > operations, and how the 'desc' parameter influences this. > > > > > > BR, > > > risto > > > > > > On 06/01/2010 10:32 AM, Javier wrote: > > > > Hi, > > > > > > > > well, that trap comes from a device with several parameters. I > > > receive 3 > > > > different traps, some common parameters to all traps and others > > > only for > > > > each trap. A change in the trap is when I receive a different > > data in > > > > any parameter from the last same trap. > > > > > > > > I´ve been searching documentation and maybe i could use Context > > > to save > > > > the data from each parameter and then show it later if it > > > changes, but i > > > > don´t know exactly how i can do that. Is it possible?. Any > > > suggestion? > > > > > > > > thanks in advance > > > > > > > > > > > > 2010/5/31 Risto Vaarandi <rvaara...@yahoo.com > <mailto:rvaara...@yahoo.com> > > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com>> > > > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com> > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com>>> > > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com> > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com>> > > > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com> > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com>>>>> > > > > > > > > How do you define a change in the trap? > > > > br, > > > > risto > > > > > > > > > > > > --- On Mon, 5/31/10, Javier <esj...@gmail.com > <mailto:esj...@gmail.com> > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>> > > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com> > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>>> > > > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com> > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>> > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com> > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>>>>> wrote: > > > > > > > > From: Javier <esj...@gmail.com <mailto:esj...@gmail.com> > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>> > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com> > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>>> > > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com> > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>> > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com> > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>>>>> > > > > Subject: [Simple-evcorr-users] Can SEC help me ?? > > > > To: "simple-evcorr-users" > > > <simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net> > > <mailto:simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net>> > > > <mailto:simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net> > > <mailto:simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net>>> > > > > <mailto:simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net> > > <mailto:simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net>> > > > <mailto:simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net> > > <mailto:simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net>>>>> > > > > Date: Monday, May 31, 2010, 8:15 PM > > > > > > > > Hi, > > > > > > > > i need to make a persistance correlation and i´m not sure if > > > SEC can > > > > help me. It should goes like this: > > > > > > > > I receive traps with a determinate OID in a log file as raw > > data, > > > > then i write the output to a DB to show it later as an alarm. > > > > > > > > > > > > I want to show the first coincidence and i want to > > correlate the > > > > event to show only when its a change in the trap during a > time > > > > threshold and if there´s a change in that same event, reset > > that > > > > time threshold and of course show the changes. I prefer do > > it in > > > > memory and not in DB... > > > > > > > > > > > > Well, is it possible to do that with SEC? and if yes... > > > HOW??? maybe > > > > using several rules in the same conf file?? > > > > > > > > > > > > thanks in advance > > > > > > > > > > > > > > > > > > > > -----Inline Attachment Follows----- > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > -----Inline Attachment Follows----- > > > > > > > > _______________________________________________ > > > > Simple-evcorr-users mailing list > > > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>>> > > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>>>> > > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > Simple-evcorr-users mailing list > > > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>>> > > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Simple-evcorr-users mailing list > > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>>> > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > > > > _______________________________________________ > > > Simple-evcorr-users mailing list > > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
