Re: [Simple-evcorr-users] SEC multiple events match same time

Mon, 24 Aug 2015 16:36:06 -0700 

On Mon, 24 Aug 2015, Ganji, Shashirekha Yadav wrote:


Hi,

I'am using SEC in our infrastructure past 2 years and our customers are 
extremely happy with the tool.It was all good so far but yesterday experienced 
a peculiar issue.

We have SEC rule setup as below:

## Rule:2
## Last Updated At: 2015-03-19T17:39:21.297Z
## Rule:1 Vendor:Cisco BGP neighbor down alarm, alarm will be suppressed if 
neighbor recovers within 60 seconds. In case of 5 such events witin 5 min a 
%BGP-5-FLAP: notification will be generated.
type=pairWithWindow
ptype=regexp
continue=dontcont
pattern=Date=.* ,Device=(\S+) ,Msg=.*((%BGP-5-ADJCHANGE:).* 
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) Down.*)
desc=$1 $3 $4
action=shellcmd perl /etc/syslog-config/send2mom/sec_s2m_v2.pl --targetparent $1 --target $4 
--notifying_group NETRS --severity MAJOR --kpi Network --pattern "$3" --log 
"$2" --source SEC --sendevent on
ptype2=regexp
pattern2=Date=.* ,Device=($1) ,Msg=.*(($3).* ($4) Up.*)
desc2=$1 BGP Neighbor $4 flap detected
action2=event %s; shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, 
Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >> 
/local/mnt/workspace/logs/sec-logs/sec-messages.log
window=60


I noticed there were 2 events matching the above pattern.Device A and Device B 
connected to each other and both the devices BGP nei connecting to each other 
was down.

Problem was SEC alerted the above alerts with a delay of 4 hrs,Can you explain 
why is this delay and how can i fix the issue.
SEC doesn't delay sending any alerts, so the question is did it take that log to get the log to SEC, or was SEC that far behind in processing messages?
if you enable a dumpfile, you can send SEC a signal and then look in the resulting file to see the most recent logs it's processed. That will tell you if it's way behind (although sec using 100% cpu for any significant amountof time will tell you is is not keeping up) 

how are you reading the logs?

David Lang
------------------------------------------------------------------------------


_______________________________________________

Simple-evcorr-users mailing list

Simple-evcorr-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users


------------------------------------------------------------------------------

_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to