On 06/01/2010 11:31 AM, Javier wrote: > Risto, > > yes, you´re right. I receive 3 different traps but from 3 different > generic OID's but that´s not important. For example > > <generic OID1> .1.2.3 A C > <generic OID2> .1.2.3 A D > <generic OID3> .1.2.3 B D > > and each one of them, brings the raw data: > > <generic OID1> .1.2.3 ="OK" > <generic OID1> .1.2.3.5="234234" > <generic OID1> .1.2.3.6.7="UP" > > As you can see, some of them have more numbers in the OID, so how can i > process all of them independently of the amount of numbers in the OID?. > If is it not easily acomplished anyway, i guess i can receive the > relevant data from the same amount of numbers in the OID.
it should be fairly easy to write a regular expression that handles the variable amount of numbers. For example, [\d.]+=(\S+) matches any sequence of numbers and dots that is followed by '=', and it also assigns the value that follows '=' to a variable $1. > > What about to use Context to save every value from every parameter of > the trap and when its a data change, write it in another log? (maybe > that perl script in http://snmptt.sourceforge.net/docs/snmptt.shtml#SEC > to trap back). Is it possible??. Indeed, you could use contexts for memorizing event correlation state, but I'd recommend to take advantage of the 'desc' field of a rule. BR, risto > > > Thank you very much > > > 2010/6/1 Risto Vaarandi <[email protected] > <mailto:[email protected]>> > > Javier, > > if each trap has several parameters that can have different values, and > you want to correlate events with the *same* set of values, this can be > easily accomplished by setting the 'desc' parameter accordingly. > > Suppose that the trap with OID .1.2.3 can have two parameters: > > <generic OID> .1.2.3 A C > <generic OID> .1.2.3 A D > <generic OID> .1.2.3 B D > > With this example, it is obvious that the following rule will react only > to the first trap: > > type=SingleWithSuppress > ptype=RegExp > pattern=<generic OID> (\S+) > desc=estado $1 > action=shellcmd /home/javier/send.sh > window=300 > > However, if you rewrite the rule as follows, each trap .1.2.3 with a > *different* set of parameter values will be correlated by a different > event correlation operation (in other words, if a trap with a new set of > parameter values comes in, it is written to the log and then suppressed > for 5 minutes): > > type=SingleWithSuppress > ptype=RegExp > pattern=<generic OID> (\S+) (\S+) (\S+) > desc=estado $1 $2 $3 > action=shellcmd /home/javier/send.sh > window=300 > > The key to the solution is to define the 'desc' parameter correctly, > since 'desc' defines the scope of event correlation operations. Similar > question has been asked many times in this list before, and since this > is one of the fundamentals of SEC, please have a look at the relevant > section of the man page: > http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV > This section explains the relation between rules and event correlation > operations, and how the 'desc' parameter influences this. > > BR, > risto > > On 06/01/2010 10:32 AM, Javier wrote: > > Hi, > > > > well, that trap comes from a device with several parameters. I > receive 3 > > different traps, some common parameters to all traps and others > only for > > each trap. A change in the trap is when I receive a different data in > > any parameter from the last same trap. > > > > I´ve been searching documentation and maybe i could use Context > to save > > the data from each parameter and then show it later if it > changes, but i > > don´t know exactly how i can do that. Is it possible?. Any > suggestion? > > > > thanks in advance > > > > > > 2010/5/31 Risto Vaarandi <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>> > > > > How do you define a change in the trap? > > br, > > risto > > > > > > --- On Mon, 5/31/10, Javier <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > From: Javier <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > Subject: [Simple-evcorr-users] Can SEC help me ?? > > To: "simple-evcorr-users" > <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>> > > Date: Monday, May 31, 2010, 8:15 PM > > > > Hi, > > > > i need to make a persistance correlation and i´m not sure if > SEC can > > help me. It should goes like this: > > > > I receive traps with a determinate OID in a log file as raw data, > > then i write the output to a DB to show it later as an alarm. > > > > > > I want to show the first coincidence and i want to correlate the > > event to show only when its a change in the trap during a time > > threshold and if there´s a change in that same event, reset that > > time threshold and of course show the changes. I prefer do it in > > memory and not in DB... > > > > > > Well, is it possible to do that with SEC? and if yes... > HOW??? maybe > > using several rules in the same conf file?? > > > > > > thanks in advance > > > > > > > > > > -----Inline Attachment Follows----- > > > > > > ------------------------------------------------------------------------------ > > > > > > -----Inline Attachment Follows----- > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > ------------------------------------------------------------------------------ > > > > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
