hi Pavel,
the problem lies in the pattern2 field of the rule. Currently, the field is
defined as follows:
pattern2=^([^;]* SCHEDULE_SVC_CHECK);([^;]*);([^;]*);([^;]*);(inservice)
Now, suppose that the following event comes in:
[1428995863] SCHEDULE_SVC_CHECK;sbc-amalthea;SA-SIP-MSK-Nextel;
1428995863;constraintsexceeded
This event will match the PairWithWindow rule, and the rule will start a
waiting operation for sbc-amalthea and SA-SIP-MSK-Nextel (since you have
used $2 and $3 in the 'desc' field of the rule definition). The waiting
operation will run for 3600 seconds, expecting to see "inservice" event
which would match the following regular expression:
^([^;]* SCHEDULE_SVC_CHECK);([^;]*);([^;]*);([^;]*);(inservice)
Unfortunately, this regular expression will not only match events
for sbc-amalthea and SA-SIP-MSK-Nextel, but for any other name combination.
For example, if the following event comes in
[1428995864]
SCHEDULE_SVC_CHECK;sbc-test;SA-SIP-TEST-Nextel;1428995864;inservice
this event will match the regular expression, and thus the operation will
terminate (although it shouldn't).
In order to fix this problem, the expression should be modified as follows:
^([^;]* SCHEDULE_SVC_CHECK);($2);($3);([^;]*);(inservice)
Now we are restricting the expression to match the specific name
combination that was seen previously.
In fact, the most recent version of sec also received a number of updates
into its official documentation, including more detailed documentation of
Pair and PairWithWindow rules. In particular, "Event Correlation
Operations" section contains an interesting example:
http://simple-evcorr.sourceforge.net/man.html#lbAX
I'd recommend to look into this example for getting a detailed picture how
'pattern2' field is functioning.
Hope this helps,
risto
2015-04-14 17:04 GMT+03:00 Lezin Pavel <ple...@mtt.ru>:
> Hi,
>
> We use PairWithWindow rule in our SEC configuration to suppress some
> useless SNMP traps.
>
> Our config based on this rules:
>
> type=PairWithWindow
> ptype=RegExp
> pattern=^([^;]*
> SCHEDULE_SVC_CHECK);([^;]*);([^;]*);([^;]*);(constraintsexceeded)
> desc=SVC_CHECK $2 $3 "const-inservice"
> action=logonly; write icinga.cmd ($1;$2;$3;$4)
> ptype2=RegExp
> pattern2=^([^;]* SCHEDULE_SVC_CHECK);([^;]*);([^;]*);([^;]*);(inservice)
> action2=logonly
> desc2=SVC_CHECK $2 $3 "const-inservice"
> window=3600
>
>
> type=Single
> |
> ptype=RegExp
> |
> pattern=^([^;]*
> SCHEDULE_SVC_CHECK);([^;]*);([^;]*);([^;]*);(.*)
> |
> desc=SVC_CHECK $2
> $3
> |
> action=logonly (Single %s "$5"); write icinga.cmd ($1;$2;$3;$4)
>
>
>
> Using this rule set, we want to find and filter out pairs of events looks
> like:
>
> [1428995863]
> SCHEDULE_SVC_CHECK;sbc-amalthea;SA-SIP-MSK-Nextel;1428995863;constraintsexceeded
> [1428995864]
> SCHEDULE_SVC_CHECK;sbc-amalthea;SA-SIP-MSK-Nextel;1428995864;inservice
>
> But we cant catch correctly all these pairs receiving in traps.In some
> cases
> number of received pairs more than pairs which matched PairWithWindow rule.
>
> At the same time, events like:
> "[1428995864]
> SCHEDULE_SVC_CHECK;sbc-amalthea;SA-SIP-MSK-Nextel;1428995864;inservice"
>
> Which have a pair, matched with second rule (Single). But single rule must
> catch events without a pair.
>
>
> in attachment example of traps (trap.dat).
>
>
> /usr/bin/sec --conf=sec-trap.conf --input=trap.dat --log=sec-trap.log
> --dump=sec.dmp --notail
>
>
> We need some help in solving this problem.
>
> Thanks!
> --
> With Regards, Lezin Pavel.
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
