Hi,
Thank you! It helped us a lot!
С уважением, Лезин Павел
ОАО "Межрегиональный Транзит Телеком"
Тел.: 8-800-333-4923 доб. 3612
Моб.: +7-928-607-6991
www.mtt.ru
14.04.2015 21:41, Risto Vaarandi пишет:
hi Pavel,
the problem lies in the pattern2 field of the rule. Currently, the
field is defined as follows:
pattern2=^([^;]* SCHEDULE_SVC_CHECK);([^;]*);([^;]*);([^;]*);(inservice)
Now, suppose that the following event comes in:
[1428995863]
SCHEDULE_SVC_CHECK;sbc-amalthea;SA-SIP-MSK-Nextel;1428995863;constraintsexceeded
This event will match the PairWithWindow rule, and the rule will start
a waiting operation for sbc-amalthea and SA-SIP-MSK-Nextel (since you
have used $2 and $3 in the 'desc' field of the rule definition). The
waiting operation will run for 3600 seconds, expecting to see
"inservice" event which would match the following regular expression:
^([^;]* SCHEDULE_SVC_CHECK);([^;]*);([^;]*);([^;]*);(inservice)
Unfortunately, this regular expression will not only match events
for sbc-amalthea and SA-SIP-MSK-Nextel, but for any other name
combination. For example, if the following event comes in
[1428995864]
SCHEDULE_SVC_CHECK;sbc-test;SA-SIP-TEST-Nextel;1428995864;inservice
this event will match the regular expression, and thus the operation
will terminate (although it shouldn't).
In order to fix this problem, the expression should be modified as
follows:
^([^;]* SCHEDULE_SVC_CHECK);($2);($3);([^;]*);(inservice)
Now we are restricting the expression to match the specific name
combination that was seen previously.
In fact, the most recent version of sec also received a number of
updates into its official documentation, including more detailed
documentation of Pair and PairWithWindow rules. In particular, "Event
Correlation Operations" section contains an interesting example:
http://simple-evcorr.sourceforge.net/man.html#lbAX
I'd recommend to look into this example for getting a detailed picture
how 'pattern2' field is functioning.
Hope this helps,
risto
2015-04-14 17:04 GMT+03:00 Lezin Pavel <[email protected]
<mailto:[email protected]>>:
Hi,
We use PairWithWindow rule in our SEC configuration to suppress
some useless SNMP traps.
Our config based on this rules:
type=PairWithWindow
ptype=RegExp
pattern=^([^;]*
SCHEDULE_SVC_CHECK);([^;]*);([^;]*);([^;]*);(constraintsexceeded)
desc=SVC_CHECK $2 $3 "const-inservice"
action=logonly; write icinga.cmd ($1;$2;$3;$4)
ptype2=RegExp
pattern2=^([^;]*
SCHEDULE_SVC_CHECK);([^;]*);([^;]*);([^;]*);(inservice)
action2=logonly
desc2=SVC_CHECK $2 $3 "const-inservice"
window=3600
type=Single |
ptype=RegExp |
pattern=^([^;]* SCHEDULE_SVC_CHECK);([^;]*);([^;]*);([^;]*);(.*) |
desc=SVC_CHECK $2 $3 |
action=logonly (Single %s "$5"); write icinga.cmd ($1;$2;$3;$4)
Using this rule set, we want to find and filter out pairs of
events looks like:
[1428995863]
SCHEDULE_SVC_CHECK;sbc-amalthea;SA-SIP-MSK-Nextel;1428995863;constraintsexceeded
[1428995864]
SCHEDULE_SVC_CHECK;sbc-amalthea;SA-SIP-MSK-Nextel;1428995864;inservice
But we cant catch correctly all these pairs receiving in traps.In
some cases
number of received pairs more than pairs which matched
PairWithWindow rule.
At the same time, events like:
"[1428995864]
SCHEDULE_SVC_CHECK;sbc-amalthea;SA-SIP-MSK-Nextel;1428995864;inservice"
Which have a pair, matched with second rule (Single). But single
rule must catch events without a pair.
in attachment example of traps (trap.dat).
/usr/bin/sec --conf=sec-trap.conf --input=trap.dat
--log=sec-trap.log --dump=sec.dmp --notail
We need some help in solving this problem.
Thanks!
--
With Regards, Lezin Pavel.
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live
exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
