In message
<CAB3_BpPsYVc+OKX5oio03tuSy=D=o5ikb5eq7rxtxykvuax...@mail.gmail.com> ,
"Justin J. Novack" writes:
> [...]
>I could tap the collective knowledge. My dilemma is that I'd like to be
>able to email out a friendly name for a port if one should exist.
>
>Rather than writing a x number of rules for x number of ports with a
>friendly name, (Port 1 belongs to EXCHANGE, port 2 belongs to
>DOMAINCONTROLLER, port 3 belongs to DNSSERVER, etc), I was wondering if
>there is a way to reference a map (by an external file or written within the
>rule itself).
You could use `grep interface name /file/mapping` in the commands
where you invoke the shell. Alternatively you could call a shell
script that interfaces to your inventory management system and does a
lookup so when the IMS changes mappings, you get the change
automatically.
action=pipe '%s' /bin/mail -s '[ERROR] `grep '^$2' /file/mapping` LINK_DOWN!'
n...@domain.net;
for example.
>My admins don't know what Ethernet4/38 maps to, and they shouldn't be
>expected to memorize it. So currently I have to write the following rule:
>
># IMPORTANT SERVER 1
>type=Single
>ptype=RegExp
>pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface
>(GigabitEthernet4\/38), changed state to down
>desc=(MAJOR) $1 interface $2 DOWN!
>action=pipe '%s' /bin/mail -s '[ERROR] IMPORTANT SERVER 1 LINK_DOWN!'
>n...@domain.net; \
> shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER
>1 Link DOWN" "%s" 9
> [...]
>Multiply that over each port needed, and I am swamped in rules. Is it
>possible to utilize a mapping function so I have to write that rule once,
>but I can map interfaces with friendly names?
>
>GigabitEthernet4/38, IMPORTANT SERVER 1
>GigabitEthernet4/39, IMPORTANT SERVER 2
>GigabitEthernet4/40, IMPORTANT SERVER 3
I can see a couple of other ways of doing this inside of sec, but I am
not sure it's easier/better than using `` in the command output:
1) use contexts
2) use a perl associative array
The context could be called server_for_GigabitEthernet4/38 and have
the value IMPORTANT SERVER 1. To populate it a rule like:
type = single
ptype = regexp
pattern = ^set (GigabitEthernet[0-9/]*) (.*)
action = fill server_for_$1 $2
and generate a series of events/input lines like:
set GigabitEthernet4/40 IMPORTANT SERVER 3
into SEC (see the mailing list archives for doing this over a secure
control channel).
Then to use the mapping:
action2=assign %S; copy server_for_$2 %S; pipe '%s' /bin/mail -s '[WARNING]
%S Link Bounce' n...@domain.net; ...
Note I may have some syntax off as I am doing this from memory. The
assign is needed to wipe any prior value and the copy pulls the value
from the context.
You can also do something similar using a perl associative array
replacing the fill ... from above with
eval %v ($ServerName{$1} = '$2')
using the same single rule. To retrieve the value use something like:
eval %S ($ServerName{$2})
which will return the value or use some extra perl (... || "Unknown
server" perhaps??) to return a default value if the key doesn't
exist. Note there may need to be a return or some other perlish syntax
around $ServerName{$1}. I'm not in a position to test at the moment.
All of these alternatives allow you to change the mappings on the fly
using input to SEC (or rewriting an external file) which is usually
wanted since a change in the wiring infrastructure shouldn't require a
restart of SEC.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
