In message <4c0e2f7b.80...@umn.edu>, Tim Peiffer writes: >I am looking for ideas on a mechanism of causing SEC to ignore events on >a schedule on rules similar to the ones listed below. [...] > >The schedule might come from scheduled down time for a host, device, >peer, or circuit. The schedule must be controlled external to SEC, and >must be reachable via some customer process. I have mysql available, >and so are file transfer methods to pull down columnar data (sftp, >https, etc) in order to fulfill the latter requirement. I would like to >scrape the information from a change control process that declares a >maintenance window, and also have a method of superceding it in the case >where the maintenance action is completed before the end of the >maintenance window.. > >Table: scheduled maintenance >Event Start, Event End, Host/Port/Peer, supercede? >20100607T2200, 20100607T2345,myhost.mydomain, no > > >type=Single >ptype=RegExp >pattern=Node Unreachable: (<host name or IP address>) >desc=Scheduled outage on %s >action=none > >type=Single >ptype=RegExp >pattern=Peer Down: (<peer name or IP address>) >desc=Scheduled outage on %s >action=none > >type=Single >ptype=RegExp >pattern=Link Down: (<Host + Port identifier >) >desc=Scheduled outage on %s >action=none
Similar to what John Brown suggests in another email contexts are the way to go here. For the rules above add a context = <host_port>_scheduled_down entry. That will make these rules fire (and presumably stop other rules for these hosts/port from firing). To manually create the contexts, you could use logger(1) like John Brown suggested, however logger injects into the syslog stream and anybody can use logger or spoof a syslog packet directly to create the context. Instead for control stuff like this I suggest starting SEC with an: --input /var/spool/sec/Control=CONTROL argument and apply appropriate access permissions on the file. Then use a rule set similar to: http://www.cs.umb.edu/~rouilj/sec/rulesets/01control.sr to match create/delete/obsolete/add commands specificly arriving from the control file (and ignoring them from elsewhere). You could make things easier by adding a rule specifically for setting downtime. Suppose you emit a message scedule_downtime seconds_duration shostname a single rule like: type=single continue=dontcont ptype=regexp pattern=^schedule_downtime (\d+) (.*) desc= create a scheduled downtime context context = CONTROL action = create $2_scheduled_down $1 will create the appropriate context for suitable values of (.*). Also a user can manually delete the context if the maintainance window ends early. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
