hi Georgi, can you post the actual log messages and describe how exactly they should be handled? Since most people in the list are probably not familiar with RANCID, it is quite hard to grasp what events should be processed and how the processing should be done. regards, risto
2014-01-29 George Lakovski <[email protected]>: > > > Hi, > I need some help for the work of RANCID with SEC.pl. > > I need to achieve the following functionality observing the syslog of > Cisco devices. > > 1) look for a description of an interface that matches specific pattern. If > there is a match to check whether there is a "SYS-5-CONFIG_I" message in the > log and initiate a new poll of the specific device reported the messages. > The log message for the description of an interface and write config should > be for the same device and user and in 5 min interval. Otherwise nothing > should be done. > > 2) if the above conditions are not met as described to poll the device only > by a "SYS-5-CONFIG_I" message > > All this is with the idea to match a specific "change ID", coded in the > description and to pass it together with the user, who made the change to > RANCID. This data will appear in the logs of RANCID as global varaibles > passed to RANCID in the "bin/control_rancid" file to the > > "if [ "X$device" != "X" ] ; then > $RCSSYS commit -m "$EXECUTOR via $SOURCE_IP due to JOB_ID updated > $mailrcpt" > subject="$GROUP/$device $subject" > else > $RCSSYS commit -m "$EXECUTOR via $SOURCE_IP due to JOB_ID update" > subject="$GROUP $subject" > fi" > > section. > > I imagine it to something like the following, but I can't make it work. > > # in case of change to an interface description combined with write config > > type=Pair > ptype=RegExp > pattern=\S (\w+-\w+-\w+\d) .*%PARSER-5-CFGLOG_LOGGEDCMD.* User:(\w+) logged > command:description.*Job Id# = (\d+) .* > desc=This is the description of the changed interface > action=eval %TEST1 ( $ENV {'JOB_ID'}="$3" ) > ptype2=RegExp > pattern2=\S $1 .*SYS-5-CONFIG_I.* by $2 on vty\d+ \((\d+.\d+.\d+.\d+)\) > desc2=Please verify. There is a change in the config of $1 by $2 > action2=eval %TEST2 ( $ENV {'EXECUTOR'}="$2" );\ > eval %TEST3 ( $ENV {'SOURCE_IP'}="$3" );\ > shellcmd /usr/local/rancid/bin/rancid-run -r $1 > window=1800 > > > # in case there is no change of description, only changes not related to > interface description > > type=Single > ptype=RegExp > pattern=\S (\w+-\w+-\w+\d) .*SYS-5-CONFIG_I.* by (\w+) on vty\d+ > \((\d+.\d+.\d+.\d+)\) > desc=Please verify. There is a change in the config of $1 by $2 > action=eval %TEST2 ( $ENV {'EXECUTOR'}="$2" );\ > eval %TEST3 ( $ENV {'SOURCE_IP'}="$3" );\ > shellcmd /usr/local/rancid/bin/rancid-run -r $1 > window=1800 > > Probably the first part may be done with CONTEXTs.... > Any ideas? I will appreciate any help how to accomplish my ideas. > > BR, > Georgi > > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
