hi Shashi, are all your rules in the same file, and is the event a single-line event that doesn't contain any newlines? Since the event matching process depends on the order of rules, and rules can be skipped with continue=goto statements, seeing the entire rule file would be helpful. Also, have you tried testing the ruleset interactively, in order to see if the PairWithWindow rule matches the event? kind regards, risto
2016-09-09 0:11 GMT+03:00 Ganji, Shashirekha Yadav <shash...@qualcomm.com>: > > > Risto, > > > > Thanks for your inputs. I have setup SEC such a way that if the pattern > does not match any of the rules,it will be logged against last rule as > below: > > > > ## Rule:32 > > ## Last Updated At: 2014-08-22T16:38:01.061Z > > ## A catch all rule that is used for researching new patterns > > type=singleWithSuppress > > ptype=regexp > > continue=dontcont > > pattern=Date=.* ,Device=(\S+) ,Msg=.*((%\S+:).*) > > desc=$1 $2 > > action=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, > Action=Research, Device=$1, Pattern=$3, Log=-" >> > /local/mnt/workspace/logs/sec-logs/sec-messages.log > > window=86400 > > > > In this case,message is getting logged as Research pattern indicating SEC > did process the event. > > > > Thanks, > > Shashi > > > > *From:* Risto Vaarandi [mailto:risto.vaara...@gmail.com] > *Sent:* Thursday, September 08, 2016 2:06 PM > *To:* Ganji, Shashirekha Yadav <shash...@qualcomm.com> > *Cc:* simple-evcorr-users@lists.sourceforge.net > *Subject:* Re: [Simple-evcorr-users] Pairwithwindow rule > > > > hi Shashi, > > I tested the rule quickly against the following input line that you > provided in your previous post: > > Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8 > 08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor > alarm on power supply 2: failed > > In my quick test, I set the window parameter of the PairWithWindow rule to > 1, in order to see if the 'pattern' field matches this line, and if the > action in the 'action' field gets triggered after 1 second. At least in my > case, the rule is working perfectly: > > sec --conf=test-sec.conf --input=- > SEC (Simple Event Correlator) 2.7.8 > Reading configuration from test-sec.conf > 1 rules loaded from test-sec.conf > No --bufsize command line option or --bufsize=0, setting --bufsize to 1 > Opening input file - > Interactive process, SIGINT can't be used for changing the logging level > > Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8 > 08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor > alarm on power supply 2: failed <--- that's the line I typed to sec > standard input > > Executing shell command 'perl /etc/syslog-config/send2mom/sec_s2m_v2.pl > --targetparent san-w170-dcr-sw-02-mgmt --target 2 --notifying_group NETRS > --severity MAJOR --kpi Network --pattern "SATCTRL-FEX107-2-SOHMS_DIAG_ERROR:" > --log "SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor alarm on > power supply 2: failed" --source SEC --sendevent on' <--- and that's a > sec debug message which indicates the action execution > > Are you sure that your sec instance actually observed that event? Also, > since the event correlation window is fairly large (3600 seconds), are you > sure sec was not restarted while the event correlation operation was > running? > > regards, > > risto > > > > > > 2016-09-08 23:43 GMT+03:00 Ganji, Shashirekha Yadav <shash...@qualcomm.com > >: > > My bad ,sent the wrong rule. > > > > Here is the correct SEC rule that I have in production. > > > > type=pairWithWindow > > ptype=regexp > > continue=dontcont > > pattern=Date=.* ,Device=(\S+) > ,Msg=.*%((SATCTRL-FEX1[0-9][0-9]-2-SOHMS_DIAG_ERROR:).*power > supply (\d): failed.*) > > desc=$1 $3 $4 > > action=shellcmd perl /etc/syslog-config/send2mom/sec_s2m_v2.pl > --targetparent $1 --target $4 --notifying_group NETRS --severity MAJOR > --kpi Network --pattern "$3" --log "$2" --source SEC --sendevent on > > ptype2=regexp > > pattern2=Date=.* ,Device=($1) > ,Msg=.*((%SATCTRL-FEX1[0-9][0-9]-2-SOHMS_DIAG_ERROR:).* > Recovered: .* supply (\d): failed) > > desc2=logonly > > action2=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, > Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >> > /local/mnt/workspace/logs/sec-logs/sec-messages.log > > window=3600 > > > > Thanks, > > Shashi > > > > *From:* Risto Vaarandi [mailto:risto.vaara...@gmail.com] > *Sent:* Thursday, September 08, 2016 12:31 PM > *To:* Ganji, Shashirekha Yadav <shash...@qualcomm.com> > *Cc:* simple-evcorr-users@lists.sourceforge.net > *Subject:* Re: Pairwithwindow rule > > > > hi Shashi, > > there appears to be a subtle difference between the regular expression and > the event you are trying to match. When you take a closer look at the > regular expression, you will notice that it contains the following fragment: > > %SATCTRL-FEX101-2 > > However, the event from the log file contains the substring > "%SATCTRL-FEX107-2" which doesn't match the above construct. To fix the > regular expression and make it work for both 101 and 107, you could use the > construct 10[17] or perhaps just \d+. > > kind regards, > > risto > > > > > > 2016-09-08 22:11 GMT+03:00 Ganji, Shashirekha Yadav <shash...@qualcomm.com > >: > > > > Hi All, > > > > Is there any problem in this rule?? > > > > Rule was all working good but suddenly stopped working by not matching the > first pattern. > > > > ## Rule: 30(Nexus Extender power supply) Environment alert regarding power > supply failure `It will suppress alarm if power supply recovers within an > hour > > > > type=pairWithWindow > > > > ptype=regexp > > > > continue=dontcont > > > > pattern=Date=.* ,Device=(\S+) > ,Msg=.*((%SATCTRL-FEX101-2-SOHMS_DIAG_ERROR:).*power > supply (\d): failed) > > > > desc=$1 $3 $4 > > > > action=shellcmd perl /etc/syslog-config/send2mom/sec_s2m_v2.pl > --targetparent $1 --target $4 --notifying_group NETRS --severity MAJOR > --kpi Network --pattern "$3" --log "$2" --source SEC --sendevent on > > > > ptype2=regexp > > > > pattern2=Date=.* ,Device=($1) ,Msg=.*((%SATCTRL-FEX101-2-SOHMS_DIAG_ERROR:).* > Recovered: .* supply (\d): failed) > > > > desc2=logonly > > > > action2=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, > Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >> > /local/mnt/workspace/logs/sec-logs/sec-messages.log > > window=3600 > > > > To be matched data: > > > > Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8 > 08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor > alarm on power supply 2: failed > > > > Thanks, > > SHashi > > > > > > > > >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
