Am 13.10.2010 10:50, schrieb Risto Vaarandi:
hi,
is my understanding correct that you are trying to detect sets of
events, where the ordering of events inside a set can be arbitrary?
In other words, instead of arriving in the order (a1, a2, a3, a4, a5),
events could also come in the order (a5, a3, a2, a4, a1)?
If that is the case, then in the SEC faq there is a recipe for this:
http://simple-evcorr.sourceforge.net/FAQ.html#3.20
However, for the next major release of SEC I have planned a separate
rule type for recognizing unordered sets of events.
with kind regards,
risto
On 10/12/2010 03:55 PM, M Haris Farooque wrote:
Hello,
I have several set of problem-scenarios (around 20) which i anaylzed
within a network. each problem-scenario generates a set of alerts or
events.
scenario1: a1, a2, a3, a4, a5
scenario2: a3, a2, a4, a5, a6
scenario3: a4, a6, a5, a7
...
for example,
Scenario #1: MM-application Down:
-----------------------------------------
possible generated alerts are: */a1, a2, a3, a4, a5/*
which occurs in total time interval, say 300 seconds (5 mins).
I need to propose the correct failure situation to my network
administrator. what i am doing is, when 1st time, any such event occurs,
I am creating a Context and adding this event in to it. Then for all
subsequent events I am adding them in the same context.
# Rule 1: Create Context when 1st time event occurs
type=Single
ptype=RegExp
pattern=.*a1|a2|a3|a4|a5.*
desc=MM Application Problem
context=!MM_Problem
action=create MM_Problem 300; add MM_Problem "1st Event: $0"
##
# Rule 2: Add subsequent Events
#
type=Single
ptype=RegExp
pattern=.*ssh_tcp_dd|ssh_gprsstatus.*
desc=Adding Subsequent events because of MM Problem
context=MM_Problem
action=add MM_Problem "Additional Event: $0";
The events are adding in the context but how would i take final action
when all events occurred. That is, how can I notify SEC to send an email
to administrator with particular information. In Rule 2: I tried with
'SingleWith2Thresholds', but it didn't work!
What is the better way to handle such problem?
Is there any possibility to add all occuring events in a context
instantly until a threshold limit exceeds and then take some action?
let me know If I didn't clarify my query.
--
Kind Reagrds/Mit freundlichen Grüßen
M Haris
Daimler-Fleetboard GmbH
D-70546 Stuttgart
Tel: +49 (711) 179 56 10
Mob: +49 (176) 470 96 991
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2& L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Thanks alot Risto,
I like to know, is SEC is maintaing any Activity Log? I need to make my
SEC efficient. Actually my Network Administrator may want to view
activities happened during last 30 mins. The Report should contain
following set of information;
1. Problems identified within this time window
2. Problems already resolved within this time window
3. Which set of events or Problems are still open (unresolved).
For example, if Problem (P1) consists of Events (e1, e2 and e3)
and at this particular window only e1 & e2 has occurred, so in my Report
I should hint my administrator that, in near future, Problem (P1) could
arises.
Currently I thought of one approach;
I am creating a separate Context(c1,c2,c3) for every event (e1, e2,e3)
and when Event set is complet for any Problem (P1), i.e. (c1 && c2 &&
c3) then delete these contexts, take necessary actions and log an entry
in a log file about identification and rectification of problem P1.
For reporting, every time when my adminsitrator needed to see a report,
a SIGUSR1 signal is sent to SEC which in turns generated a Dump
(/tmp/sec.dump) file and then parse this dump file to find all open
contexts under "List Of Contexts" heading.
So if only events (e1 & e2) has occurred, I would have contexts (c1 &
c2) in the dump file.And my separate perl script is able to inform about
possible occurrence of problem P1.
I havn't completely implemented this approach but I was wondering if I
could have an activity log of SEC then I believe it is much easier to
parse this log file rather than parsing the dump file.
any suggestions and proposal from SEC community are welcome.
--
Kind Reagrds/Mit freundlichen Grüßen
M Haris
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
