On Tue, 18 Oct 2011, Justin J. Novack wrote:
> Great idea, however, now all 432 ports on my device would send out an email
> on flap, rather than the 60 important ones. This would be perfect if an
> entire switch needed friendly names.
>
> As for David's suggestion, this would also be the case, however, I could
> error out (silently) if it doesn't match something in the hash. I would
> still need to call a shellcmd, I don't just email, I also trigger additional
> alerts like sounds and phones with the shellcmd announce.php, I'm happy to
> call that separately. At that point, I might as well just offload EVERY
> event to different perl files and fail silently if the switch/port
> combination is not in a hash/map.
>
> Are these ways any safer(?) or less performance intensive than 60+ rules?
> My initial thought was to write a template and seed file (ala Section 4.2
> http://sixshooter.v6.thrupoint.net/SEC-examples/article-part2.html#SECPERFORMANCE)
> and just deal with adding a line (for each friendly named port) and
> recompiling the rules file every time I want to change.
>
> Thoughts?
regex matches are expensive (even in perl), if you can replace many regex
matches with one perl match you will gain a lot of efficiency.
forexample, instead of your current match
pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface
(GigabitEthernet4\/38), changed state to down
you could replace it with a perl snippet along the lines of:
pattern= sub (@junk = split(' ',substr($[0],17)); if (exists
%serverhash{$junk[8]} && $junk[4] eq 'LINK-3-UPDOWN') {return $_;}
this will return the line as $0 if the line is a 'LINK-3-UPDOWN' event and
the interface is in the serverhash list. you can easily add additional
parsing of the line in perl to pull apart the data in other ways.
doing a split on space is far cheaper than evaluating a lengthy regex,
especially with a lot of \w+ \s+ \d+ type entries. with a default syslog
line you need to do the split on the substring starting with column 17
because the date will have an extra space in it for the first 9 days of
each month.
David Lang
> --
> Justin J. Novack
> Official Disturber of the Peace
>
>
> On Tue, Oct 18, 2011 at 1:52 PM, John P. Rouillard <rou...@cs.umb.edu>wrote:
>
>>
>> In message
>> <CAB3_BpPsYVc+OKX5oio03tuSy=D=o5ikb5eq7rxtxykvuax...@mail.gmail.com> ,
>> "Justin J. Novack" writes:
>>> [...]
>>> I could tap the collective knowledge. My dilemma is that I'd like to be
>>> able to email out a friendly name for a port if one should exist.
>>>
>>> Rather than writing a x number of rules for x number of ports with a
>>> friendly name, (Port 1 belongs to EXCHANGE, port 2 belongs to
>>> DOMAINCONTROLLER, port 3 belongs to DNSSERVER, etc), I was wondering if
>>> there is a way to reference a map (by an external file or written within
>> the
>>> rule itself).
>>
>> You could use `grep interface name /file/mapping` in the commands
>> where you invoke the shell. Alternatively you could call a shell
>> script that interfaces to your inventory management system and does a
>> lookup so when the IMS changes mappings, you get the change
>> automatically.
>>
>> action=pipe '%s' /bin/mail -s '[ERROR] `grep '^$2' /file/mapping`
>> LINK_DOWN!' n...@domain.net;
>>
>> for example.
>>
>>> My admins don't know what Ethernet4/38 maps to, and they shouldn't be
>>> expected to memorize it. So currently I have to write the following rule:
>>>
>>> # IMPORTANT SERVER 1
>>> type=Single
>>> ptype=RegExp
>>> pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface
>>> (GigabitEthernet4\/38), changed state to down
>>> desc=(MAJOR) $1 interface $2 DOWN!
>>> action=pipe '%s' /bin/mail -s '[ERROR] IMPORTANT SERVER 1 LINK_DOWN!'
>>> n...@domain.net; \
>>> shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER
>>> 1 Link DOWN" "%s" 9
>>> [...]
>>> Multiply that over each port needed, and I am swamped in rules. Is it
>>> possible to utilize a mapping function so I have to write that rule once,
>>> but I can map interfaces with friendly names?
>>>
>>> GigabitEthernet4/38, IMPORTANT SERVER 1
>>> GigabitEthernet4/39, IMPORTANT SERVER 2
>>> GigabitEthernet4/40, IMPORTANT SERVER 3
>>
>> I can see a couple of other ways of doing this inside of sec, but I am
>> not sure it's easier/better than using `` in the command output:
>> 1) use contexts
>> 2) use a perl associative array
>>
>> The context could be called server_for_GigabitEthernet4/38 and have
>> the value IMPORTANT SERVER 1. To populate it a rule like:
>>
>> type = single
>> ptype = regexp
>> pattern = ^set (GigabitEthernet[0-9/]*) (.*)
>> action = fill server_for_$1 $2
>>
>> and generate a series of events/input lines like:
>>
>> set GigabitEthernet4/40 IMPORTANT SERVER 3
>>
>> into SEC (see the mailing list archives for doing this over a secure
>> control channel).
>>
>> Then to use the mapping:
>>
>> action2=assign %S; copy server_for_$2 %S; pipe '%s' /bin/mail -s
>> '[WARNING] %S Link Bounce' n...@domain.net; ...
>>
>> Note I may have some syntax off as I am doing this from memory. The
>> assign is needed to wipe any prior value and the copy pulls the value
>> from the context.
>>
>> You can also do something similar using a perl associative array
>> replacing the fill ... from above with
>>
>> eval %v ($ServerName{$1} = '$2')
>>
>> using the same single rule. To retrieve the value use something like:
>>
>> eval %S ($ServerName{$2})
>>
>> which will return the value or use some extra perl (... || "Unknown
>> server" perhaps??) to return a default value if the key doesn't
>> exist. Note there may need to be a return or some other perlish syntax
>> around $ServerName{$1}. I'm not in a position to test at the moment.
>>
>> All of these alternatives allow you to change the mappings on the fly
>> using input to SEC (or rewriting an external file) which is usually
>> wanted since a change in the wiring infrastructure shouldn't require a
>> restart of SEC.
>>
>> --
>> -- rouilj
>> John Rouillard
>> ===========================================================================
>> My employers don't acknowledge my existence much less my opinions.
>>
>
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
