0 Replies Latest reply on May 30, 2013 11:21 AM by smartd

    Example of the Power of Simple Event Correlator

    smartd

      Here's a tool that would fix all the formatting, duplicate elimination, etc.

      Simple Event Correlator  (open-source)

       

      Here's some examples of its power:  Note ( ) captures the expression within to be used in $n variables.in descriptions and variables.

      ========= SEC Config Example =========

      # If a router interface is in down state for less
      # than 15 seconds, generate event
      # "<router> INTERFACE <interface> SHORT OUTAGE";
      # otherwise generate event
      # "<router> INTERFACE <interface> DOWN".

      type=PairWithWindow
      ptype=RegExp
      pattern=\s([\w.-]+) \d+: %LINK-3-UPDOWN: Interface ([\w.-]+), changed state to down
      desc=$1 INTERFACE $2 DOWN
      action=event %s
      ptype2=RegExp
      pattern2=\s$1 \d+: %LINK-3-UPDOWN: Interface $2, changed state to up
      desc2=%1 INTERFACE %2 SHORT OUTAGE
      action2=event %s
      window=15

      # If "<router> INTERFACE <interface> DOWN" event is
      # received, send a notification and wait for
      # "interface up" event from the same router interface
      # for the next 24 hours

      type=Pair
      ptype=RegExp
      pattern=^([\w.-]+) INTERFACE ([\w.-]+) DOWN
      desc=$1 interface $2 is down
      action=pipe '%t: %s' /bin/mail root@localhost
      ptype2=RegExp
      pattern2=\s$1 \d+: %LINK-3-UPDOWN: Interface $2, changed state to up
      desc2=%1 interface %2 is up
      action2=pipe '%t: %s' /bin/mail root@localhost
      window=86400

      # If ten "short outage" events have been observed
      # in the window of 6 hours, send a notification

      type=SingleWithThreshold
      ptype=RegExp
      pattern=^([\w.-]+) INTERFACE ([\w.-]+) SHORT OUTAGE
      desc=Interface $2 at node $1 is unstable
      action=pipe '%t: %s' /bin/mail root@localhost
      window=21600
      thresh=10

      =====================

      -=Dan=-