hi Karthik, before starting developing an event correlation rule for these events, the following questions need to be answered:
1) do you want to detect the situations where the "NTPMonitorTask executeCB(): sysPeer not chosen" is *followed* by the "ALARM RAISE" event, or can the order of events vary? 2) do these two events have specific fields which must have identical values for both events? (For example, is CLA-0 a hostname in your example events which can take many different values, and would you actually like to associate two events based on their hostname?) 3) what is the maximum number of seconds between the occurrence times of those two events (is it 5 seconds, 60 seconds, or something else?) The following rule is a simple example which assumes that "NTPMonitorTask executeCB(): sysPeer not chosen" is followed by "ALARM RAISE" within 60 seconds, and that these two events do not have any specific fields with identical values: type=Pair ptype=RegExp pattern=CLA-0 NTPMonitor\[\d+\]: NTPMonitorTask executeCB\(\): sysPeer not chosen for \s*\d+ times Reporting Critical Out of Sync Alarm desc=NTPMonitorTask critical alarm action=none ptype2=RegExp pattern2=ALARM RAISE SP=\d+ MO=/CLA-0/FSClusterNTPServer/NTPMonitor AP=/CLA-0/FSClusterNTPServer/NTPMonitor SE=2 IINFO="Clock Sync" NINFO="sysPeer not chosen " TIME=\d+ UTCSHIFT=\d+ desc2=NTPMonitorTask critical alarm was followed by ALARM RAISE action2=write - %s window=60 After the sequence of these two events has been observed, the rule writes the string "NTPMonitorTask critical alarm was followed by ALARM RAISE" to standard output. Like David has already mentioned, if your events are not always arriving in this particular order, you might need to use contexts for setting up a correlation scheme. As an alternative, you could also take advantage of the EventGroup2 rule. Assuming that your syslog events are written to /var/log/messages and ALARM RAISE messages are logged to /var/log/alarms.log, the command line for monitoring these two log files simultaneously could be the following: sec --conf=/etc/sec//test.karthik --input=/var/log/messages --input=/var/log/alarms.log In other words, you can repeat the --input command line option several times for specifying more than one input source. hope this helps, risto 2015-06-15 18:38 GMT+03:00 Rajesh M <rajesh68.embed...@gmail.com>: > Hello All, > > It would be very appreciate if you would help me to get through the below > scenario. > > 1. I have the following message from the alarm file as active alarm raise > event: > > 2015 Mar 16 19:08:57 ALARM RAISE SP=70377 > MO=/CLA-0/FSClusterNTPServer/NTPMonitor > AP=/CLA-0/FSClusterNTPServer/NTPMonitor SE=2 IINFO="Clock Sync" > NINFO="sysPeer not chosen " TIME=1426504137696 UTCSHIFT=480 > > 2. I have one more log called syslog which also contains the info related > to these alarm raise event. > > Mar 16 19:08:57.696843 warn CLA-0 NTPMonitor[3561]: NTPMonitorTask > executeCB(): sysPeer not chosen for 40 times Reporting Critical Out of > Sync Alarm > > Mar 16 19:08:57.697347 info CLA-0 NTPMonitor[3561]: ALARM RAISE SP=70377 > MO=/CLA-0/FSClusterNTPServer/NTPMonitor > AP=/CLA-0/FSClusterNTPServer/NTPMonitor SE=2 IINFO="Clock Sync" > NINFO="sysPeer not chosen " TIME=1426504137696 UTCSHIFT=480 > > 3. I need to correlate the alarm raise event in alarm file to the syslog > "NTP Monitor" info along with the same alarm in syslog file around the same > time stamps. > > Our way of idea/implementation is if EVENT-1 occurs in alarm EVENT-2 will > follow in the syslog. So joining of these two events as One Correlation > Rule for monitoring. > > Please provide us about your valuable references and examples in doing the > same :) . > > > Thanks & Regards, > Karthik > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
