Risto,
Thanks for pointing the way. An EventGroup rule definitely was the way to go.
It simplified everything quite a bit.
Gary
From: Risto Vaarandi [mailto:risto.vaara...@gmail.com]
Sent: Friday, June 28, 2013 11:15 AM
To: Boyles, Gary P; simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] Looking For A Better Way To Do A Rule-Set.
hi Gary,
I have to say that the rule looks quite complex. Maybe it's a better idea to
split the logic into two rules? First rule could be the one what you proposed
in the beginning of the thread (the one which decreases the severity for a
given class). However, the second rule would do counting for events of
interest, and would set up a context if two events from different sources have
been seen. In order to do counting, so that each counter increment happens for
a unique event, I would propose to use the EventGroup rule. In fact, the
introduction of the SEC man page contains a relevant example for SSH login
failures. Let me provide a slightly modified part from the example:
type=EventGroup
init=create USER_COUNTING
end=delete USER_COUNTING
ptype=RegExp
pattern=SSH_LOGIN_FAILURE_FOR_(\S+)
context=!USER_$1_COUNTED
count=alias USER_COUNTING USER_$1_COUNTED
desc=Repeated SSH login failures for 3 distinct users within 1m
action=pipe '%s' /bin/mail -s 'SSH login alert'
root@localhost<mailto:root@localhost>
window=60
thresh=3
This example counts SSH login failure events for *distinct* users, and sends an
e-mail if events for three different usernames have been seen within 1 minute.
As I understood from the mail, you can set the 'window' field to a fairly large
value (perhaps even 1 day or 86400 seconds?), and also, 'thresh' should simply
be changed from 3 to 2. Note that the above example also uses context aliases,
in order to ensure the uniqueness of each counted username. Also, the aliases
are created and dropped by the 'init' and 'end' fields of the EventGroup rule.
In short, I would recommend to have a look into higher end SEC rule types,
since sometimes they do many things for you, which would otherwise require a
lot of Perl coding.
kind regards,
risto
2013/6/28 Boyles, Gary P
<gary.p.boy...@intel.com<mailto:gary.p.boy...@intel.com>>
The timeframe doesn't matter. In my current setup I set the context for 300
seconds.
The problem is with the $10 (source) variable. I want to deactivate the rule
below (i.e. NFS_Slow_To_HARMLESS)
by creating the context to NFS_STOP::$2::$10 if I receive the same event from
two different sources.
Here is the rule I ended up with to determine that... it just seems like there
is probably a very simple
way of doing this, that I'm not utilizing (i.e. can't see the forest for the
trees issue).
################################################################################
# Notes:
# 1. monitor ($4) = BEM_CLASS
# 2. Project ($8) = Site
# 3. mon_id ($10)= Source
################################################################################
type=Single
continue=TakeNext
ptype=perlFunc
pattern=sub { my (@parseStr) = split/ :: /, $_[0]; return (@parseStr); }
context=($4 $5) -> (sub { my $class = $_[0]; my $severity = $_[1];
\
if ($class =~ /nfs_slow/i && $severity eq "CRITICAL") {return 1;} else {
return 0;}})
desc=NFS_Slow_Setup::$2::$10
action=lcall %NFS_Context $2 $10 -> ( sub { my $node = $_[0]; my $source =
$_[1]; \
my $nfs_context = "";
\
$nfs_context = "NFS::"."$node"."::"."$source";
\
if (exists $NFS_Slow{$node} == 0) {
\
$NFS_Slow{$node} = $source;
\
return "$nfs_context"; }
\
else {
\
if ($NFS_Slow{$node} ne $source) {
\
$nfs_context = "NFS_STOP::"."$node"."::"."$source";
\
$NFS_Slow{$node} = $source;
\
return "$nfs_context"; }
\
else { return "$nfs_context"; }
\
}
\
}
\
) ; create %NFS_Context 300
Thanks for taking a look !!!
Gary Boyles
-----Original Message-----
From: David Lang [mailto:da...@lang.hm<mailto:da...@lang.hm>]
Sent: Thursday, June 27, 2013 8:23 PM
To: Boyles, Gary P
Cc:
simple-evcorr-users@lists.sourceforge.net<mailto:simple-evcorr-users@lists.sourceforge.net>
Subject: Re: [Simple-evcorr-users] Looking For A Better Way To Do A Rule-Set.
On Fri, 28 Jun 2013, Boyles, Gary P wrote:
> Hi All,
>
> I have a request for a rule-set that does the following:
>
> 1. An event comes in with "node" in $2, class NFS_IS_Slow in ($4), severity
> in ($5), and source in ($10).
>
> 2. The request is for an event of this class ($4) from node ($2) to change
> the severity ($5) from CRITICAL to HARMLESS.
>
> 3. This is fairly easy to do... with the following rule:
>
> type=Single
> continue=DontCont
> ptype=perlFunc
> pattern=sub { my (@parseStr) = split/ :: /, $_[0]; return (@parseStr); }
> context=!(NFS_STOP::$2::$10) && ($4 $5) -> (sub { my $class = $_[0]; my
> $severity = $_[1]; \
> if ($class =~ /nfs_slow/i && $severity eq "CRITICAL") { return 1; } else {
> return 0; } } )
> desc=NFS_Slow_To_HARMLESS::$2::$10
> action=write %SEC_HOME/log/EC.main.log %u %s ;
> \
> event $1 :: $2 :: $3 :: $4 :: HARMLESS :: $6 :: $7 :: $8 :: $9 :: $10
> :: $11 :: $12 :: $13 :: $14
>
> More Info:
> I have a request to keep the severity of CRITICAL - if the "source" ($10) is
> different for two events.
>
> Question:
> Is there an easy way to set the context "NFS_STOP::$2::$10" if the source
> ($10) changes?
>
> I've got perl-code that sets this in a rule, and this rule is placed before
> the one above,
> but I was looking for a simple way to evaluate a previous event/context and
> set the context
> below without using a lot of perl code.
>
> Summary:
>
> 1. I use the rule above to change/replace the severity from CRITICAL to
> HARMLESS.
>
> 2. But I also need to NOT do that (i.e. deactivate the rule) if $10 is
> different for two events.
>
the context can be any string you want, so you can include $10 in the context.
Now, the first problem I have is that you want to do something if $10 is
different for two events, but two events over what timeframe?
over the entire time that SEC is running?
does the quantity and order of alerts matter? What if you get 10 events from
one, and 1 event from a second?, what if you get 1 event from one and 10 events
from a second?
You may very well want to have multiple rules processing the same log line
(takenext=continue) so that you can do different things with the log messages,
but more info is needed to create the specific rules.
David Lang
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
