Re: [Simple-evcorr-users] Suggestions for handling multiple streams/events - disabling alerting based on source, etc.
Here is the conf I am testing and some of the output. I realize in the perfunc we have $0 and $1, but in the actions do these not become $1 and $2? I suppoe I am just wondering how I can manipulate the value for the input stream variabe in my actions to make it easier to read - ie rather than the full path and name of the minotired logfile, just a portion of the name that is a unique identifier.type=single
ptype=perlfunc
pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/)
{ \
return ($1, $_[1] =~ m/.*\/(.*)\.SystemOut\.log$/);
} else { return 0; } }
context=!IGNORE_SRVE0255E_FOR_FILE_$2
desc=$1:$2
action="" Error reported by Application:
%app on Layer: %layer: $1 caught in: $2; shellcmd %email $1 %layer %app
$2 %mailto; create IGNORE_SRVE0255E_FOR_FILE_$2 60 logonly IGNORE_SRVE0255E_FOR_FILE_$2
has Expired!Mon Apr 18 14:47:20 2011: Error reported
by Application: WEC on Layer: PERF: PQWCSP5 caught in: PQWCSP5
Mon Apr 18 14:47:20 2011: Executing
shell command '/opt/monty/sec/emailException.sh PQWCSP5 PERF WEC PQWCSP5
john_gras...@johnlewis.co.uk'
Mon Apr 18 14:47:20 2011: Child 30939
created for command '/opt/monty/sec/emailException.sh PQWCSP5 PERF WEC
PQWCSP5 john_gras...@johnlewis.co.uk'
Mon Apr 18 14:47:20 2011: Creating context
'IGNORE_SRVE0255E_FOR_FILE_PQWCSP5'
Mon Apr 18 14:48:21 2011: Deleting stale
context 'IGNORE_SRVE0255E_FOR_FILE_PQWCSP5'
Mon Apr 18 14:48:21 2011: IGNORE_SRVE0255E_FOR_FILE_PQWCSP5
has Expired!
Mon Apr 18 14:48:21 2011: Stale context
'IGNORE_SRVE0255E_FOR_FILE_PQWCSP5' deleted
Whati happens is that using $1 and $2 in the action list, they both become what I think of as $2 (which is the manipulated $1 in the perlfunc.If I change the conf to be like this and use $0 and $2 in the action I get the entire log message...action="" Error reported by Application:
%app on Layer: %layer: $0 caught in: $2; shellcmd %email $0 %layer %app
$2 %mailto; create IGNORE_SRVE0255E_FOR_FILE_$2 60 logonly IGNORE_SRVE0255E_FOR_FILE_$2
has Expired!So I am really changing the log line value in the function to only return the SRVE0255E in $1 and trying to change the log source $2 to only returns a portion of the name. It sort of works, but I seem to lose the value of the manipulkated log message if I try to manipulate the value of the log source.I have everything else I wanted to rest working fine, short lived context blocking of further alerts works just great...my email script is being triggered perfectly, its just his now ;)Thanks for your help!
-Risto Vaarandi risto.vaara...@gmail.com wrote: -To: John Grasett john.gras...@atech.comFrom: Risto Vaarandi risto.vaara...@gmail.comDate: 04/17/2011 10:38AMCc: simple-evcorr-users simple-evcorr-users@lists.sourceforge.netSubject: Re: [Simple-evcorr-users] Suggestions for handling multiple streams/events - disabling alerting based on source, etc.2011/4/17 Risto Vaarandi risto.vaara...@gmail.com: 2011/4/15 John Grasett john.gras...@atech.com: Yes, that sounds perfect. I could also then do this to not repeat on the same event in the same log. type=single ptype=perlfunc pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \ return ($1, $_[1]); } else { return 0; } } context=!IGNORE_SRVE0255E_FOR_FILE_$2 desc=$0 action="" Error reported by Application: %app on Layer: %layer: $1 caught in: $2; create IGNORE_SRVE0255E_FOR_FILE_$2 One other thing I am triyng to do with no luck - change $2 to be only part of the log path/filename: type=single ptype=perlfunc pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \ return ($1, $_[1], $_[2] =~ m/.*\/(.*)\.SystemOut\.log$/); } else { return 0; } } desc=$0 action="" Error reported by Application: %app on Layer: %layer: $1 caught in: $2 or I try return ($1, $_[1] =~ m/.*\/(.*)\.SystemOut\.log$/); } else { return 0; } } But then I get bad output! John, PerlFunc pattern function accepts two input parameters ($_[0] and $_[1]), thus $_[2] is undefined for this pattern (PerlFunc2, PerlFunc3, PerlFunc4 etc. take 2,4,6,... parameters).sorry for a typo -- PerlFunc takes 2 input parameters (one input lineand one source name), PerlFunc2 takes 4 parameters (two input linesand two source names), PerlFunc3 takes 6, etc.regards,risto
--
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Suggestions for handling multiple streams/events - disabling alerting based on source, etc.
2011/4/15 John Grasett john.gras...@atech.com:
Yes, that sounds perfect. I could also then do this to not repeat on the
same event in the same log.
type=single
ptype=perlfunc
pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \
return ($1, $_[1]); } else { return 0; } }
context=!IGNORE_SRVE0255E_FOR_FILE_$2
desc=$0
action=logonly Error reported by Application: %app on Layer: %layer:
$1 caught in: $2; create IGNORE_SRVE0255E_FOR_FILE_$2
One other thing I am triyng to do with no luck - change $2 to be only part
of the log path/filename:
type=single
ptype=perlfunc
pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \
return ($1, $_[1], $_[2] =~ m/.*\/(.*)\.SystemOut\.log$/); } else { return
0; } }
desc=$0
action=logonly Error reported by Application: %app on Layer: %layer: $1
caught in: $2
or I try
return ($1, $_[1] =~ m/.*\/(.*)\.SystemOut\.log$/); } else { return 0; } }
But then I get bad output!
John,
PerlFunc pattern function accepts two input parameters ($_[0] and
$_[1]), thus $_[2] is undefined for this pattern (PerlFunc2,
PerlFunc3, PerlFunc4 etc. take 2,4,6,... parameters).
I would not recommend using $_[1] =~ m/.*\/(.*)\.SystemOut\.log$/
inside a return list from the function, since this sets $1 to the
match value from m/.*\/(.*)\.SystemOut\.log$/, overwriting a previous
value from /.*(SRVE0255E).*/. You can tackle this issue by saving $1
first into a separate variable, and then evaluating
m/.*\/(.*)\.SystemOut\.log$ against the input file name.
hope this helps,
risto
-Risto Vaarandi risto.vaara...@gmail.com wrote: -
To: John Grasett john.gras...@atech.com
From: Risto Vaarandi risto.vaara...@gmail.com
Date: 04/15/2011 12:43PM
Cc: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] Suggestions for handling multiple
streams/events - disabling alerting based on source, etc.
hi John,
I would recommend to use contexts, once you have seen a match from
particular rules that should disable matches for several other rules.
The contexts are visible across all rules and it is easy to check
their presence or absence with Boolean expressions.
For example, for disabling input coming from certain log files, you
could employ the following scheme:
type=single
ptype=perlfunc
pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \
return ($1, $_[1]); } else { return 0; } }
desc=$0
action=logonly Error reported by Application: %app on Layer: %layer:
$1 caught in: $2; create IGNORE_EVENTS_FOR_FILE_$2
type=single
ptype=perlfunc
pattern=sub { if ($_[0] =~ /.*(SRVA0255A).*/) { \
return ($1, $_[1]); } else { return 0; } }
context=!IGNORE_EVENTS_FOR_FILE_$2
desc=$0
action=logonly Error2 reported by Application: %app on Layer: %layer:
$1 caught in: $2
The first rule creates a context if SRVE0255E event has been seen for
an input file, and if then the SRVA0255A event will come in from the
same log file, no alert would be produced.
A side note -- since the users like to have an input source file name
to be available through a match variable, and the named match
variables added into the new 2.6 version allow for easily adding new
reserved variables, it is likely that the next minor version of SEC
will include support for input file name match variable. In that case,
you wouldn't be required to use PerlFunc anymore only for getting
input source name.
kind regards,
risto
2011/4/14 John Grasett john.gras...@atech.com:
I am just getting started here, but I know we will be able to get what we
want, I just need a little push in the right direction for implementing
this. So far I have this simple conf:
# Set variables on SEC startup or soft restarts. These variables can be
used
# in actions and contexts. They are not usable in patterns.
type = single
desc = set variables and things on startup or restart of sec (core)
ptype = regexp
pattern = SEC_(STARTUP|RESTART|SOFTRESTART)
context = [ SEC_INTERNAL_EVENT ]
action=assign %app WEC; assign %layer PERF
# test rule to match on error generated by webshere for a bad or missing
virtual host or webgroup
# we use a perlfunc as we need to get the name of the input stream (in
this
case our logfile) - this way we can run one instance against
# all the servers for an application/layer
type=single
ptype=perlfunc
pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \
return ($1, $_[1]); } else { return 0; } }
desc=$0
action=logonly Error reported by Application: %app on Layer: %layer: $1
caught in: $2
which does what it should, logs on catching the SRVE0255E code with the
variables and the name of the logfile it was caught in:
Thu Apr 14 12:37:28 2011: Reading configuration from
/opt/monty/sec/conf/WEC_PERF.conf
Thu Apr 14 12:37:28 2011: 2 rules loaded from
/opt/monty/sec/conf/WEC_PERF.conf
Thu Apr 14 12:37:28 2011: Creating SEC internal context
'SEC_INTERNAL_EVENT'
Thu Apr 14 12:37:28 2011: Creating SEC internal event 'SEC_RESTART'
Thu Apr 14 12:37:28
