In message
<CAP=bk28qn5m4j9nnbdjokkbvdt3xrz7rpugxjtphloyv3g+...@mail.gmail.com> ,
Vernon Nelson writes:
>I have been trying to meet some criteria for about a week now and I
>cannot seem to nail it. I am trying to meet the following requirements for
>matching a Juniper Netscreen trap for cpu utilization. However, I cannot
>get it just right. Any help would be greatly appreciated.
>
>Problem:
>
> trap from Juniper comes in every minute when over cpu threshold
>
>Solution I am trying to accomplish:
>
> 1) push event to the event browser after 3 traps in 5 minutes
> 2) re-alarm after 30 minutes
Re-alarm after 30 minutes or every 30 minutes while the problem is
occurring?
> 3) clear alarm after 10 minutes with no traps
>
>What I have works unless the CPU% changes and I cannot figure out how to
>get around matching that part of the trap.
My guess is your desc is too specific. The descripton should
include only the info that is needed to match any trap of that
type. It should specificaly not include things like timestamps, or
metrics.
The description must match for events to be matched by a specific
correlation operation.
>Example traps:
>
>1364222455 3 Mon Mar 25 14:40:55 2013 outervp01 ? [2]
>private.enterprises.3224.2.3.0 (OctetString): 2013-03-25 14:41:41
>[Root]system-critical-00030: SYSTEM CPU utilization is high (78 > alarm
>threshold:65) 1 times in 1 minute
>
>1364222455 3 Mon Mar 25 14:40:55 2013 outervp01 ? [2]
>private.enterprises.3224.2.3.0 (OctetString): 2013-03-25 14:41:41
>[Root]system-critical-00030: SYSTEM CPU utilization is high (76 > alarm
>threshold:65) 1 times in 1 minute
>Ruleset:
>
> [wrapped for readability]
>
> # match only when you receive 15 traps from the source VPN
> type=SingleWithThreshold
> ptype=RegExp
> continue=TakeNext
> pattern=(\w{8}vp\w+)\s+.*3224.2.3.0.*system-critical-00030.+CPU \
> utilization is high
> desc= $5 high CPU alarm
> action=shellcmd /usr/OV/bin/event -e NDWN_EV -h $5 \
> -d "TEST EVENT: 2 $5 system-critical-00030: SYSTEM \
> CPU utilization is high."
>window=930
>thresh=15
>
> type=SingleWith2Thresholds
> ptype=RegExp
> pattern=(\w{8}vp\w+)\s+.*3224.2.3.0.*system-critical-00030.+CPU \
> utilization is high
> desc=$0
^^^^^^^^^^ I'll bet this is it.
> action=shellcmd /usr/OV/bin/event -e NDWN_EV -h $5 -d "TEST\
> EVENT: 2 $5 system-critical-00030: SYSTEM CPU utilization is high."
> window=330
> thresh=3
> desc2=$0
^^^ or this
> action2=shellcmd /usr/OV/bin/event -e NUP_EV -h $5 \
> -d "TEST EVENT: 2 $5 has sent 0 SYSTEM CPU utilization traps\
> in the last 10 minutes. Validate the CPU is below the threshold."
> window2=600
> thresh2=10
Notice the difference in desc between you SinglewithThreshold and your
SingleWithTwoThresholds rules.
Also as an alternate way to generate a second alarm after 30 minutes,
might I suggest you create a context with a 1/2 hour lifetime and have
its expiration action generate a new alarm. If the problem clears just
delete the context.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
