Re: [Simple-evcorr-users] Correlating of two different Events as One

Mon, 15 Jun 2015 12:34:20 -0700 

On Mon, 15 Jun 2015, Rajesh M wrote:


Hello All,

It would be very appreciate if you would help me to get through the below
scenario.

1. I have the following message from the alarm file as active alarm raise
event:

2015 Mar 16 19:08:57 ALARM RAISE SP=70377
MO=/CLA-0/FSClusterNTPServer/NTPMonitor
AP=/CLA-0/FSClusterNTPServer/NTPMonitor SE=2 IINFO="Clock Sync"
NINFO="sysPeer not chosen " TIME=1426504137696 UTCSHIFT=480

2. I have one more log called syslog which also contains the info related
to these alarm raise event.

Mar 16 19:08:57.696843 warn CLA-0 NTPMonitor[3561]: NTPMonitorTask
executeCB(): sysPeer not chosen for  40 times Reporting Critical Out of
Sync Alarm

Mar 16 19:08:57.697347 info CLA-0 NTPMonitor[3561]: ALARM RAISE SP=70377
MO=/CLA-0/FSClusterNTPServer/NTPMonitor
AP=/CLA-0/FSClusterNTPServer/NTPMonitor SE=2 IINFO="Clock Sync"
NINFO="sysPeer not chosen " TIME=1426504137696 UTCSHIFT=480

3. I need to correlate the alarm raise event in alarm file to the syslog
"NTP Monitor" info along with the same alarm in syslog file around the same
time stamps.

Our way of idea/implementation is if EVENT-1 occurs in alarm EVENT-2 will
follow in the syslog. So joining of these two events as One Correlation
Rule for monitoring.

Please provide us about your valuable references and examples in doing the
same :) .
since you don't know which event will show up first, the best thing is to use contexts. 

have two different rules that match the different log entries
and then have a rule that looks for both contexts to be raised and generate an alert at that time (possibly including data from each of the two contexts) 

David Lang
------------------------------------------------------------------------------


_______________________________________________

Simple-evcorr-users mailing list

Simple-evcorr-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users


------------------------------------------------------------------------------

_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to