Great idea, however, now all 432 ports on my device would send out an email
on flap, rather than the 60 important ones. This would be perfect if an
entire switch needed friendly names.
As for David's suggestion, this would also be the case, however, I could
error out (silently) if it doesn't match something in the hash. I would
still need to call a shellcmd, I don't just email, I also trigger additional
alerts like sounds and phones with the shellcmd announce.php, I'm happy to
call that separately. At that point, I might as well just offload EVERY
event to different perl files and fail silently if the switch/port
combination is not in a hash/map.
Are these ways any safer(?) or less performance intensive than 60+ rules?
My initial thought was to write a template and seed file (ala Section 4.2
http://sixshooter.v6.thrupoint.net/SEC-examples/article-part2.html#SECPERFORMANCE)
and just deal with adding a line (for each friendly named port) and
recompiling the rules file every time I want to change.
Thoughts?
--
Justin J. Novack
Official Disturber of the Peace
On Tue, Oct 18, 2011 at 1:52 PM, John P. Rouillard <[email protected]>wrote:
>
> In message
> <CAB3_BpPsYVc+OKX5oio03tuSy=D=o5ikb5eq7rxtxykvuax...@mail.gmail.com> ,
> "Justin J. Novack" writes:
> > [...]
> >I could tap the collective knowledge. My dilemma is that I'd like to be
> >able to email out a friendly name for a port if one should exist.
> >
> >Rather than writing a x number of rules for x number of ports with a
> >friendly name, (Port 1 belongs to EXCHANGE, port 2 belongs to
> >DOMAINCONTROLLER, port 3 belongs to DNSSERVER, etc), I was wondering if
> >there is a way to reference a map (by an external file or written within
> the
> >rule itself).
>
> You could use `grep interface name /file/mapping` in the commands
> where you invoke the shell. Alternatively you could call a shell
> script that interfaces to your inventory management system and does a
> lookup so when the IMS changes mappings, you get the change
> automatically.
>
> action=pipe '%s' /bin/mail -s '[ERROR] `grep '^$2' /file/mapping`
> LINK_DOWN!' [email protected];
>
> for example.
>
> >My admins don't know what Ethernet4/38 maps to, and they shouldn't be
> >expected to memorize it. So currently I have to write the following rule:
> >
> ># IMPORTANT SERVER 1
> >type=Single
> >ptype=RegExp
> >pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface
> >(GigabitEthernet4\/38), changed state to down
> >desc=(MAJOR) $1 interface $2 DOWN!
> >action=pipe '%s' /bin/mail -s '[ERROR] IMPORTANT SERVER 1 LINK_DOWN!'
> >[email protected]; \
> > shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER
> >1 Link DOWN" "%s" 9
> > [...]
> >Multiply that over each port needed, and I am swamped in rules. Is it
> >possible to utilize a mapping function so I have to write that rule once,
> >but I can map interfaces with friendly names?
> >
> >GigabitEthernet4/38, IMPORTANT SERVER 1
> >GigabitEthernet4/39, IMPORTANT SERVER 2
> >GigabitEthernet4/40, IMPORTANT SERVER 3
>
> I can see a couple of other ways of doing this inside of sec, but I am
> not sure it's easier/better than using `` in the command output:
> 1) use contexts
> 2) use a perl associative array
>
> The context could be called server_for_GigabitEthernet4/38 and have
> the value IMPORTANT SERVER 1. To populate it a rule like:
>
> type = single
> ptype = regexp
> pattern = ^set (GigabitEthernet[0-9/]*) (.*)
> action = fill server_for_$1 $2
>
> and generate a series of events/input lines like:
>
> set GigabitEthernet4/40 IMPORTANT SERVER 3
>
> into SEC (see the mailing list archives for doing this over a secure
> control channel).
>
> Then to use the mapping:
>
> action2=assign %S; copy server_for_$2 %S; pipe '%s' /bin/mail -s
> '[WARNING] %S Link Bounce' [email protected]; ...
>
> Note I may have some syntax off as I am doing this from memory. The
> assign is needed to wipe any prior value and the copy pulls the value
> from the context.
>
> You can also do something similar using a perl associative array
> replacing the fill ... from above with
>
> eval %v ($ServerName{$1} = '$2')
>
> using the same single rule. To retrieve the value use something like:
>
> eval %S ($ServerName{$2})
>
> which will return the value or use some extra perl (... || "Unknown
> server" perhaps??) to return a default value if the key doesn't
> exist. Note there may need to be a return or some other perlish syntax
> around $ServerName{$1}. I'm not in a position to test at the moment.
>
> All of these alternatives allow you to change the mappings on the fly
> using input to SEC (or rewriting an external file) which is usually
> wanted since a change in the wiring infrastructure shouldn't require a
> restart of SEC.
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
