...the ruleset seems to be not recognized as plain text with the .conf
extension:
type=SingleWith2Thresholds
ptype=RegExp
continue=TakeNext
pattern=(\w+vp\d+)\s+.*3224.2.3.0.*system-critical-00030.+CPU utilization
is high
desc=$1 high CPU alarm
action=event GENERATE_CPU_ALARM_$1
window=300
thresh=3
desc2=$1 CPU normal
action2=shellcmd /usr/OV/bin/event -e NUP_EV -h $1 \
-d "TEST EVENT: 2 $1 has sent 0 SYSTEM CPU utilization traps in
the last 10 minutes. Validate the CPU is below the threshold."; \
delete CPU_REALARM_$1
window2=600
thresh2=0
type=Single
ptype=RegExp
pattern=GENERATE_CPU_ALARM_(\w+vp\d+)
desc=$1 high CPU realarm
action=shellcmd /usr/OV/bin/event -e NDWN_EV -h $1 \
-d "TEST EVENT: 2 $1 system-critical-00030: SYSTEM CPU utilization
is high."; \
create CPU_REALARM_$1 1800 (event GENERATE_CPU_ALARM_$1)
2013/3/30 Risto Vaarandi <risto.vaara...@gmail.com>
> hi Vernon,
> as John and David have already suggested, you need to fix the 'desc'
> keyword of the counting rule, since this sets the scope of event
> correlation. Using $0 for 'desc' is not a good idea, since $0 match
> variable holds the *entire* matching line, including timestamps and CPU
> utilization values! As I have understood, the only variable part of the
> event that is relevant for event correlation is the host name. I have
> crafted an example ruleset for you which extracts this from input events,
> assigns it to $1 match variable and uses in the 'desc' field. In that way,
> you can do event correlation for distinct host names.
> (If you would use $0, you would start distinct event correlation
> operations for each distinct host, CPU utilization value, and also
> timestamp of the first alarm -- this is something you would probably want!)
> I have also fixed the regular expression for matching the host names, and
> used \w+vp\d+ for this -- in other words, I assume that the hostname begins
> with alphanumerals, then contains the string "vp" which is finally followed
> by one or more digits.
> As John suggested, you could use context for rearming functionality (which
> I have done in my example rule). Instead of generating the initial alarm
> from the SingleWith2Thresholds rule, the ruleset generates a synthetic
> event which is matched by the separate alerting rule. The alerting rule
> sends alarm to HP OpenView and then rearms itself to reissue the alarm
> after 30 minutes (1800 seconds). The rearming is done with a context, and
> if the error condition goes away, the first rule simply deletes it, which
> breaks the "alarm -> rearm -> alarm -> ..." loop.
> The sample ruleset is attached to this letter as juniper-cpu.conf.
> kind regards,
> risto
>
>
>
> 2013/3/29 Vernon Nelson <keible...@gmail.com>
>
>> ALCON,
>>
>>
>>
>> I have been trying to meet some criteria for about a week now and
>> I cannot seem to nail it. I am trying to meet the following
>> requirements for matching a Juniper Netscreen trap for cpu utilization.
>> However,
>> I cannot get it just right. Any help would be greatly appreciated.
>>
>>
>>
>> Problem:
>>
>> trap from Juniper comes in every minute when over cpu threshold
>>
>>
>>
>> Solution I am trying to accomplish:
>>
>> 1) push event to the event browser after 3 traps in 5 minutes
>>
>> 2) re-alarm after 30 minutes
>>
>> 3) clear alarm after 10 minutes with no traps
>>
>>
>>
>> What I have works unless the CPU% changes and I cannot figure out how to
>> get around matching that part of the trap.
>>
>>
>>
>> Example traps:
>>
>> 1364222455 3 Mon Mar 25 14:40:55 2013 outervp01 ? [2]
>> private.enterprises.3224.2.3.0 (OctetString): 2013-03-25 14:41:41
>> [Root]system-critical-00030: SYSTEM CPU utilization is high (78 > alarm
>> threshold:65) 1 times in 1 minute
>>
>> 1364222455 3 Mon Mar 25 14:40:55 2013 outervp01 ? [2]
>> private.enterprises.3224.2.3.0 (OctetString): 2013-03-25 14:41:41
>> [Root]system-critical-00030: SYSTEM CPU utilization is high (76 > alarm
>> threshold:65) 1 times in 1 minute
>>
>>
>>
>>
>>
>> Ruleset:
>>
>>
>>
>> # match only when you receive 15 traps from the source VPN
>> type=SingleWithThreshold ptype=RegExp continue=TakeNext
>> pattern=(\w{8}vp\w+)\s+.*3224.2.3.0.*system-critical-00030.+CPU utilization
>> is high desc= $5 high CPU alarm action=shellcmd /usr/OV/bin/event -e
>> NDWN_EV -h $5 -d "TEST EVENT: 2 $5 system-critical-00030: SYSTEM CPU
>> utilization is high."
>>
>> window=930
>>
>> thresh=15
>>
>> type=SingleWith2Thresholds
>>
>> ptype=RegExp
>>
>> pattern=(\w{8}vp\w+)\s+.*3224.2.3.0.*system-critical-00030.+CPU
>> utilization is high desc=$0 action=shellcmd /usr/OV/bin/event -e NDWN_EV -h
>> $5 -d "TEST EVENT: 2 $5 system-critical-00030: SYSTEM CPU utilization is
>> high."
>>
>> window=330
>>
>> thresh=3
>>
>> desc2=$0
>>
>> action2=shellcmd /usr/OV/bin/event -e NUP_EV -h $5 -d "TEST EVENT: 2
>> $5 has sent 0 SYSTEM CPU utilization traps in the last 10 minutes. Validate
>> the CPU is below the threshold."
>>
>> window2=600
>> thresh2=10
>>
>> ------------------------------------------------------------------------------
>> Own the Future-Intel(R) Level Up Game Demo Contest 2013
>> Rise to greatness in Intel's independent game demo contest. Compete
>> for recognition, cash, and the chance to get your game on Steam.
>> $5K grand prize plus 10 genre and skill prizes. Submit your demo
>> by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
