...final notes -- since the original event from the trap log is not passed
to any further rules, you can safely remove continue=takenext from the
SingleWith2Thresholds rule.
Also, if you want to have different texts for the 1st alarm and reissued
alarms, you can take the 'action' field from the Single rule and use it in
the SingleWith2Thresholds rule with the appropriate alarm string for
/usr/OV/bin/event.
regards,
risto
2013/3/30 Risto Vaarandi <risto.vaara...@gmail.com>
> ...the ruleset seems to be not recognized as plain text with the .conf
> extension:
>
> type=SingleWith2Thresholds
> ptype=RegExp
> continue=TakeNext
> pattern=(\w+vp\d+)\s+.*3224.2.3.0.*system-critical-00030.+CPU utilization
> is high
> desc=$1 high CPU alarm
> action=event GENERATE_CPU_ALARM_$1
> window=300
> thresh=3
> desc2=$1 CPU normal
> action2=shellcmd /usr/OV/bin/event -e NUP_EV -h $1 \
> -d "TEST EVENT: 2 $1 has sent 0 SYSTEM CPU utilization traps in
> the last 10 minutes. Validate the CPU is below the threshold."; \
> delete CPU_REALARM_$1
> window2=600
> thresh2=0
>
> type=Single
> ptype=RegExp
> pattern=GENERATE_CPU_ALARM_(\w+vp\d+)
> desc=$1 high CPU realarm
> action=shellcmd /usr/OV/bin/event -e NDWN_EV -h $1 \
> -d "TEST EVENT: 2 $1 system-critical-00030: SYSTEM CPU utilization
> is high."; \
> create CPU_REALARM_$1 1800 (event GENERATE_CPU_ALARM_$1)
>
>
> 2013/3/30 Risto Vaarandi <risto.vaara...@gmail.com>
>
>> hi Vernon,
>> as John and David have already suggested, you need to fix the 'desc'
>> keyword of the counting rule, since this sets the scope of event
>> correlation. Using $0 for 'desc' is not a good idea, since $0 match
>> variable holds the *entire* matching line, including timestamps and CPU
>> utilization values! As I have understood, the only variable part of the
>> event that is relevant for event correlation is the host name. I have
>> crafted an example ruleset for you which extracts this from input events,
>> assigns it to $1 match variable and uses in the 'desc' field. In that way,
>> you can do event correlation for distinct host names.
>> (If you would use $0, you would start distinct event correlation
>> operations for each distinct host, CPU utilization value, and also
>> timestamp of the first alarm -- this is something you would probably want!)
>> I have also fixed the regular expression for matching the host names, and
>> used \w+vp\d+ for this -- in other words, I assume that the hostname begins
>> with alphanumerals, then contains the string "vp" which is finally followed
>> by one or more digits.
>> As John suggested, you could use context for rearming functionality
>> (which I have done in my example rule). Instead of generating the initial
>> alarm from the SingleWith2Thresholds rule, the ruleset generates a
>> synthetic event which is matched by the separate alerting rule. The
>> alerting rule sends alarm to HP OpenView and then rearms itself to reissue
>> the alarm after 30 minutes (1800 seconds). The rearming is done with a
>> context, and if the error condition goes away, the first rule simply
>> deletes it, which breaks the "alarm -> rearm -> alarm -> ..." loop.
>> The sample ruleset is attached to this letter as juniper-cpu.conf.
>> kind regards,
>> risto
>>
>>
>>
>> 2013/3/29 Vernon Nelson <keible...@gmail.com>
>>
>>> ALCON,
>>>
>>>
>>>
>>> I have been trying to meet some criteria for about a week now and
>>> I cannot seem to nail it. I am trying to meet the following
>>> requirements for matching a Juniper Netscreen trap for cpu utilization.
>>> However, I cannot get it just right. Any help would be greatly
>>> appreciated.
>>>
>>>
>>>
>>> Problem:
>>>
>>> trap from Juniper comes in every minute when over cpu threshold
>>>
>>>
>>>
>>> Solution I am trying to accomplish:
>>>
>>> 1) push event to the event browser after 3 traps in 5 minutes
>>>
>>> 2) re-alarm after 30 minutes
>>>
>>> 3) clear alarm after 10 minutes with no traps
>>>
>>>
>>>
>>> What I have works unless the CPU% changes and I cannot figure out how to
>>> get around matching that part of the trap.
>>>
>>>
>>>
>>> Example traps:
>>>
>>> 1364222455 3 Mon Mar 25 14:40:55 2013 outervp01 ? [2]
>>> private.enterprises.3224.2.3.0 (OctetString): 2013-03-25 14:41:41
>>> [Root]system-critical-00030: SYSTEM CPU utilization is high (78 > alarm
>>> threshold:65) 1 times in 1 minute
>>>
>>> 1364222455 3 Mon Mar 25 14:40:55 2013 outervp01 ? [2]
>>> private.enterprises.3224.2.3.0 (OctetString): 2013-03-25 14:41:41
>>> [Root]system-critical-00030: SYSTEM CPU utilization is high (76 > alarm
>>> threshold:65) 1 times in 1 minute
>>>
>>>
>>>
>>>
>>>
>>> Ruleset:
>>>
>>>
>>>
>>> # match only when you receive 15 traps from the source VPN
>>> type=SingleWithThreshold ptype=RegExp continue=TakeNext
>>> pattern=(\w{8}vp\w+)\s+.*3224.2.3.0.*system-critical-00030.+CPU utilization
>>> is high desc= $5 high CPU alarm action=shellcmd /usr/OV/bin/event -e
>>> NDWN_EV -h $5 -d "TEST EVENT: 2 $5 system-critical-00030: SYSTEM CPU
>>> utilization is high."
>>>
>>> window=930
>>>
>>> thresh=15
>>>
>>> type=SingleWith2Thresholds
>>>
>>> ptype=RegExp
>>>
>>> pattern=(\w{8}vp\w+)\s+.*3224.2.3.0.*system-critical-00030.+CPU
>>> utilization is high desc=$0 action=shellcmd /usr/OV/bin/event -e NDWN_EV -h
>>> $5 -d "TEST EVENT: 2 $5 system-critical-00030: SYSTEM CPU utilization is
>>> high."
>>>
>>> window=330
>>>
>>> thresh=3
>>>
>>> desc2=$0
>>>
>>> action2=shellcmd /usr/OV/bin/event -e NUP_EV -h $5 -d "TEST EVENT: 2
>>> $5 has sent 0 SYSTEM CPU utilization traps in the last 10 minutes. Validate
>>> the CPU is below the threshold."
>>>
>>> window2=600
>>> thresh2=10
>>>
>>> ------------------------------------------------------------------------------
>>> Own the Future-Intel(R) Level Up Game Demo Contest 2013
>>> Rise to greatness in Intel's independent game demo contest. Compete
>>> for recognition, cash, and the chance to get your game on Steam.
>>> $5K grand prize plus 10 genre and skill prizes. Submit your demo
>>> by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>>
>>
>
------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
