Risto, Yes,all the rules are in the same file and when I tried running the whole file as configuration file and provided just a dummy file that had the exact event,it still works.
Pattern gets logged as Research pattern only when it is running as daemon.Just thinking if there is a possibility of hidden junk characters in the event?? Thanks, Shashi From: Risto Vaarandi [mailto:risto.vaara...@gmail.com] Sent: Thursday, September 08, 2016 2:27 PM To: Ganji, Shashirekha Yadav <shash...@qualcomm.com> Cc: simple-evcorr-users@lists.sourceforge.net Subject: Re: [Simple-evcorr-users] Pairwithwindow rule hi Shashi, are all your rules in the same file, and is the event a single-line event that doesn't contain any newlines? Since the event matching process depends on the order of rules, and rules can be skipped with continue=goto statements, seeing the entire rule file would be helpful. Also, have you tried testing the ruleset interactively, in order to see if the PairWithWindow rule matches the event? kind regards, risto 2016-09-09 0:11 GMT+03:00 Ganji, Shashirekha Yadav <shash...@qualcomm.com<mailto:shash...@qualcomm.com>>: Risto, Thanks for your inputs. I have setup SEC such a way that if the pattern does not match any of the rules,it will be logged against last rule as below: ## Rule:32 ## Last Updated At: 2014-08-22T16:38:01.061Z ## A catch all rule that is used for researching new patterns type=singleWithSuppress ptype=regexp continue=dontcont pattern=Date=.* ,Device=(\S+) ,Msg=.*((%\S+:).*) desc=$1 $2 action=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, Action=Research, Device=$1, Pattern=$3, Log=-" >> /local/mnt/workspace/logs/sec-logs/sec-messages.log window=86400 In this case,message is getting logged as Research pattern indicating SEC did process the event. Thanks, Shashi From: Risto Vaarandi [mailto:risto.vaara...@gmail.com<mailto:risto.vaara...@gmail.com>] Sent: Thursday, September 08, 2016 2:06 PM To: Ganji, Shashirekha Yadav <shash...@qualcomm.com<mailto:shash...@qualcomm.com>> Cc: simple-evcorr-users@lists.sourceforge.net<mailto:simple-evcorr-users@lists.sourceforge.net> Subject: Re: [Simple-evcorr-users] Pairwithwindow rule hi Shashi, I tested the rule quickly against the following input line that you provided in your previous post: Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8 08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor alarm on power supply 2: failed In my quick test, I set the window parameter of the PairWithWindow rule to 1, in order to see if the 'pattern' field matches this line, and if the action in the 'action' field gets triggered after 1 second. At least in my case, the rule is working perfectly: sec --conf=test-sec.conf --input=- SEC (Simple Event Correlator) 2.7.8 Reading configuration from test-sec.conf 1 rules loaded from test-sec.conf No --bufsize command line option or --bufsize=0, setting --bufsize to 1 Opening input file - Interactive process, SIGINT can't be used for changing the logging level Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8 08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor alarm on power supply 2: failed <--- that's the line I typed to sec standard input Executing shell command 'perl /etc/syslog-config/send2mom/sec_s2m_v2.pl<http://sec_s2m_v2.pl> --targetparent san-w170-dcr-sw-02-mgmt --target 2 --notifying_group NETRS --severity MAJOR --kpi Network --pattern "SATCTRL-FEX107-2-SOHMS_DIAG_ERROR:" --log "SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor alarm on power supply 2: failed" --source SEC --sendevent on' <--- and that's a sec debug message which indicates the action execution Are you sure that your sec instance actually observed that event? Also, since the event correlation window is fairly large (3600 seconds), are you sure sec was not restarted while the event correlation operation was running? regards, risto 2016-09-08 23:43 GMT+03:00 Ganji, Shashirekha Yadav <shash...@qualcomm.com<mailto:shash...@qualcomm.com>>: My bad ,sent the wrong rule. Here is the correct SEC rule that I have in production. type=pairWithWindow ptype=regexp continue=dontcont pattern=Date=.* ,Device=(\S+) ,Msg=.*%((SATCTRL-FEX1[0-9][0-9]-2-SOHMS_DIAG_ERROR:).*power supply (\d): failed.*) desc=$1 $3 $4 action=shellcmd perl /etc/syslog-config/send2mom/sec_s2m_v2.pl<http://sec_s2m_v2.pl> --targetparent $1 --target $4 --notifying_group NETRS --severity MAJOR --kpi Network --pattern "$3" --log "$2" --source SEC --sendevent on ptype2=regexp pattern2=Date=.* ,Device=($1) ,Msg=.*((%SATCTRL-FEX1[0-9][0-9]-2-SOHMS_DIAG_ERROR:).* Recovered: .* supply (\d): failed) desc2=logonly action2=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >> /local/mnt/workspace/logs/sec-logs/sec-messages.log window=3600 Thanks, Shashi From: Risto Vaarandi [mailto:risto.vaara...@gmail.com<mailto:risto.vaara...@gmail.com>] Sent: Thursday, September 08, 2016 12:31 PM To: Ganji, Shashirekha Yadav <shash...@qualcomm.com<mailto:shash...@qualcomm.com>> Cc: simple-evcorr-users@lists.sourceforge.net<mailto:simple-evcorr-users@lists.sourceforge.net> Subject: Re: Pairwithwindow rule hi Shashi, there appears to be a subtle difference between the regular expression and the event you are trying to match. When you take a closer look at the regular expression, you will notice that it contains the following fragment: %SATCTRL-FEX101-2 However, the event from the log file contains the substring "%SATCTRL-FEX107-2" which doesn't match the above construct. To fix the regular expression and make it work for both 101 and 107, you could use the construct 10[17] or perhaps just \d+. kind regards, risto 2016-09-08 22:11 GMT+03:00 Ganji, Shashirekha Yadav <shash...@qualcomm.com<mailto:shash...@qualcomm.com>>: Hi All, Is there any problem in this rule?? Rule was all working good but suddenly stopped working by not matching the first pattern. ## Rule: 30(Nexus Extender power supply) Environment alert regarding power supply failure `It will suppress alarm if power supply recovers within an hour type=pairWithWindow ptype=regexp continue=dontcont pattern=Date=.* ,Device=(\S+) ,Msg=.*((%SATCTRL-FEX101-2-SOHMS_DIAG_ERROR:).*power supply (\d): failed) desc=$1 $3 $4 action=shellcmd perl /etc/syslog-config/send2mom/sec_s2m_v2.pl<http://sec_s2m_v2.pl> --targetparent $1 --target $4 --notifying_group NETRS --severity MAJOR --kpi Network --pattern "$3" --log "$2" --source SEC --sendevent on ptype2=regexp pattern2=Date=.* ,Device=($1) ,Msg=.*((%SATCTRL-FEX101-2-SOHMS_DIAG_ERROR:).* Recovered: .* supply (\d): failed) desc2=logonly action2=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >> /local/mnt/workspace/logs/sec-logs/sec-messages.log window=3600 To be matched data: Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8 08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor alarm on power supply 2: failed Thanks, SHashi
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
