Re: [Simple-evcorr-users] event mail

[andrewarnier]

Hi restro,

The rule input from my test log , command as follows,

perl /usr/local/sbin/sec.pl -conf=device_sec.cfg --input
/home/andrew/snmptttest.log

 

 

type=SingleWithThreshold

ptype=regexp

pattern=(.+) (.+) (.+) (.+) (.+) A Spanning Tree Topology Change at
(.+)/(.+) on VLAN (\d+)

desc=A Spanning Tree Topology Change flapping flapping event for device  $4
at $6/$7 on VLAN $8 in 5 seconds

action = pipe ' $1 A Spanning Tree Topology Change flapping flapping event
for device $4 at $6/$7 on VLAN $8 in 5 seconds at %t' /bin/mail -s "A
Spanning Tree Topology Change flapping flapping event"
andrewarn...@gmail.com

thresh=2

window=5

 

 

but when  insert two record as follows to my log

Wed Feb  5 14:0240 2014 .1.3.6.1.2.1.17.0.2 Critical "VLAN" cisco-7609P - A
Spanning Tree Topology Change at Gi2/17 on VLAN 2782

Wed Feb  5 14:02:41 2014 .1.3.6.1.2.1.17.0.2 Critical "VLAN" cisco -7609P -
A Spanning Tree Topology Change at Gi2/17 on VLAN 2782

 

I have include them in the 'desc' field. But I still  receive two A Spanning
Tree Topology Change flapping flapping event mail,

 

 

Can you  give me some advice on what to do please?

Andrew

 

 

 

 

 

 

hi Andrew,

what is the counting scope of the rule? From your rule definition it

appears that an e-mail is issued if sec observes 2 events for the same

device and VLAN (held by $4 and $8 variables, respectively).

Please be advised that if you have 2 events for the same device and

VLAN, but some other event fields (such as $6 and $7) are different,

these events are counted by the same operation, which will trigger an

e-mail warning. If you want to these fields be the same across all

events which are counted together, you need to include them in the

'desc' field.

Also, I'd recommend to post some sample events which are incorrectly

counted in your opinion. Having a look at them would help others to

provide suggestions how to fix your rule.

kind regards,

risto

 

From: andrewarnier [mailto:andrewarn...@gmail.com] 
Sent: Wednesday, February 05, 2014 4:38 PM
To: 'simple-evcorr-users@lists.sourceforge.net'
Subject: event mail

 

 

Hi ,

I have set a rule as follows,

 

type=SingleWithThreshold

ptype=regexp

pattern=(.+) (.+) (.+) (.+) (.+) A Spanning Tree Topology Change at
(.+)/(.+) on VLAN (\d+)

desc=A Spanning Tree Topology Change flapping flapping event for device $4
on VLAN $8 in 5 seconds

action = pipe ' $1 A Spanning Tree Topology Change flapping flapping event
for device $4 at $6/$7 on VLAN $8 in 5 seconds at %t' /bin/mail -s "A
Spanning Tree Topology Change flapping flapping event"
andrewarn...@gmail.com

thresh=2

window=5

 

but when an event occur it's will send two A Spanning Tree Topology Change
flapping flapping event mail , why ?

how to set when an event occur only will send a mail ?

 

Can anyone give me some advice on what to do please?

 

andrew

 

 


------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users