Risto,
The example worked perfectly. Thankyou very much for all of your
responses.
/r
Vernon Nelson
On Sat, Mar 30, 2013 at 7:42 AM, Risto Vaarandi <risto.vaara...@gmail.com>wrote:
> ...final notes -- since the original event from the trap log is not
> passed to any further rules, you can safely remove continue=takenext from
> the SingleWith2Thresholds rule.
> Also, if you want to have different texts for the 1st alarm and reissued
> alarms, you can take the 'action' field from the Single rule and use it in
> the SingleWith2Thresholds rule with the appropriate alarm string for
> /usr/OV/bin/event.
> regards,
> risto
>
>
> 2013/3/30 Risto Vaarandi <risto.vaara...@gmail.com>
>
>> ...the ruleset seems to be not recognized as plain text with the .conf
>> extension:
>>
>> type=SingleWith2Thresholds
>> ptype=RegExp
>> continue=TakeNext
>> pattern=(\w+vp\d+)\s+.*3224.2.3.0.*system-critical-00030.+CPU utilization
>> is high
>> desc=$1 high CPU alarm
>> action=event GENERATE_CPU_ALARM_$1
>> window=300
>> thresh=3
>> desc2=$1 CPU normal
>> action2=shellcmd /usr/OV/bin/event -e NUP_EV -h $1 \
>> -d "TEST EVENT: 2 $1 has sent 0 SYSTEM CPU utilization traps in
>> the last 10 minutes. Validate the CPU is below the threshold."; \
>> delete CPU_REALARM_$1
>> window2=600
>> thresh2=0
>>
>> type=Single
>> ptype=RegExp
>> pattern=GENERATE_CPU_ALARM_(\w+vp\d+)
>> desc=$1 high CPU realarm
>> action=shellcmd /usr/OV/bin/event -e NDWN_EV -h $1 \
>> -d "TEST EVENT: 2 $1 system-critical-00030: SYSTEM CPU utilization
>> is high."; \
>> create CPU_REALARM_$1 1800 (event GENERATE_CPU_ALARM_$1)
>>
>>
>> 2013/3/30 Risto Vaarandi <risto.vaara...@gmail.com>
>>
>>> hi Vernon,
>>> as John and David have already suggested, you need to fix the 'desc'
>>> keyword of the counting rule, since this sets the scope of event
>>> correlation. Using $0 for 'desc' is not a good idea, since $0 match
>>> variable holds the *entire* matching line, including timestamps and CPU
>>> utilization values! As I have understood, the only variable part of the
>>> event that is relevant for event correlation is the host name. I have
>>> crafted an example ruleset for you which extracts this from input events,
>>> assigns it to $1 match variable and uses in the 'desc' field. In that way,
>>> you can do event correlation for distinct host names.
>>> (If you would use $0, you would start distinct event correlation
>>> operations for each distinct host, CPU utilization value, and also
>>> timestamp of the first alarm -- this is something you would probably want!)
>>> I have also fixed the regular expression for matching the host names,
>>> and used \w+vp\d+ for this -- in other words, I assume that the hostname
>>> begins with alphanumerals, then contains the string "vp" which is finally
>>> followed by one or more digits.
>>> As John suggested, you could use context for rearming functionality
>>> (which I have done in my example rule). Instead of generating the initial
>>> alarm from the SingleWith2Thresholds rule, the ruleset generates a
>>> synthetic event which is matched by the separate alerting rule. The
>>> alerting rule sends alarm to HP OpenView and then rearms itself to reissue
>>> the alarm after 30 minutes (1800 seconds). The rearming is done with a
>>> context, and if the error condition goes away, the first rule simply
>>> deletes it, which breaks the "alarm -> rearm -> alarm -> ..." loop.
>>> The sample ruleset is attached to this letter as juniper-cpu.conf.
>>> kind regards,
>>> risto
>>>
>>>
>>>
>>> 2013/3/29 Vernon Nelson <keible...@gmail.com>
>>>
>>>> ALCON,
>>>>
>>>>
>>>>
>>>> I have been trying to meet some criteria for about a week now
>>>> and I cannot seem to nail it. I am trying to meet the following
>>>> requirements for matching a Juniper Netscreen trap for cpu utilization.
>>>> However, I cannot get it just right. Any help would be greatly
>>>> appreciated.
>>>>
>>>>
>>>>
>>>> Problem:
>>>>
>>>> trap from Juniper comes in every minute when over cpu threshold
>>>>
>>>>
>>>>
>>>> Solution I am trying to accomplish:
>>>>
>>>> 1) push event to the event browser after 3 traps in 5 minutes
>>>>
>>>> 2) re-alarm after 30 minutes
>>>>
>>>> 3) clear alarm after 10 minutes with no traps
>>>>
>>>>
>>>>
>>>> What I have works unless the CPU% changes and I cannot figure out how
>>>> to get around matching that part of the trap.
>>>>
>>>>
>>>>
>>>> Example traps:
>>>>
>>>> 1364222455 3 Mon Mar 25 14:40:55 2013 outervp01 ? [2]
>>>> private.enterprises.3224.2.3.0 (OctetString): 2013-03-25 14:41:41
>>>> [Root]system-critical-00030: SYSTEM CPU utilization is high (78 > alarm
>>>> threshold:65) 1 times in 1 minute
>>>>
>>>> 1364222455 3 Mon Mar 25 14:40:55 2013 outervp01 ? [2]
>>>> private.enterprises.3224.2.3.0 (OctetString): 2013-03-25 14:41:41
>>>> [Root]system-critical-00030: SYSTEM CPU utilization is high (76 > alarm
>>>> threshold:65) 1 times in 1 minute
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Ruleset:
>>>>
>>>>
>>>>
>>>> # match only when you receive 15 traps from the source VPN
>>>> type=SingleWithThreshold ptype=RegExp continue=TakeNext
>>>> pattern=(\w{8}vp\w+)\s+.*3224.2.3.0.*system-critical-00030.+CPU utilization
>>>> is high desc= $5 high CPU alarm action=shellcmd /usr/OV/bin/event -e
>>>> NDWN_EV -h $5 -d "TEST EVENT: 2 $5 system-critical-00030: SYSTEM CPU
>>>> utilization is high."
>>>>
>>>> window=930
>>>>
>>>> thresh=15
>>>>
>>>> type=SingleWith2Thresholds
>>>>
>>>> ptype=RegExp
>>>>
>>>> pattern=(\w{8}vp\w+)\s+.*3224.2.3.0.*system-critical-00030.+CPU
>>>> utilization is high desc=$0 action=shellcmd /usr/OV/bin/event -e NDWN_EV -h
>>>> $5 -d "TEST EVENT: 2 $5 system-critical-00030: SYSTEM CPU utilization is
>>>> high."
>>>>
>>>> window=330
>>>>
>>>> thresh=3
>>>>
>>>> desc2=$0
>>>>
>>>> action2=shellcmd /usr/OV/bin/event -e NUP_EV -h $5 -d "TEST EVENT:
>>>> 2 $5 has sent 0 SYSTEM CPU utilization traps in the last 10 minutes.
>>>> Validate the CPU is below the threshold."
>>>>
>>>> window2=600
>>>> thresh2=10
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Own the Future-Intel(R) Level Up Game Demo Contest 2013
>>>> Rise to greatness in Intel's independent game demo contest. Compete
>>>> for recognition, cash, and the chance to get your game on Steam.
>>>> $5K grand prize plus 10 genre and skill prizes. Submit your demo
>>>> by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
>>>> _______________________________________________
>>>> Simple-evcorr-users mailing list
>>>> Simple-evcorr-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
