SEC and Nagios for log monitoring

[Stanley Hopcroft]

Dear Sir,

I am writing to thank you for your letter and say,

On Tue, Dec 07, 2004 at 10:56:04AM -0800, nagios-users-request at lists.sourceforge.net wrote:
> 
> Message: 34
> Date: Tue, 7 Dec 2004 13:55:51 -0500
> From: "Brian Huffman" <bhuffman at incyte.com>
> To: <nagios-users at lists.sourceforge.net>
> Subject: [Nagios-users] SEC and Nagios for log monitoring
> 
> This is a multi-part message in MIME format.
> 
> ------_=_NextPart_001_01C4DC8E.5F7FDE3E
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 

                             plain text is always preferred

> All,
> 
> =20
> 
>     A while back I saw a lot of posts in reference to logfile
> monitoring.  One of the approaches was to use syslog-ng and swatch or as
> was also mentioned, SEC.  I opted for the SEC approach as it allows
> piping to STDIN w/o having to jump through hoops.

And a lot of other advantages such as

1 event correlation (as well as event reaction)

2 multiple event/input streams

3 logging SEC processing to syslog

4 debugging

> My question is:  Are people still using a script between SEC and 
> Nagios to do further filtering / munging

The SEC rules are more than capable of filtering and munging. If 
anymore processing is needed they can launch their own scripts or 
'require' further data/code.

SEC minimises the number of things needing maintaining because it 
replaces scripts by the SEC configuration/rules sets.

> or are you going directly from SEC into Nagios?  How
> are you getting the data there?  Are you echoing into the nagios "cmd"
> file

Yep. Co-hosted Nag and SEC. Here's an example rule that processes traps 
by generating a passive service check result.

type=PairWithWindow
ptype=RegExp
pattern=\[\d+\]: (\S+?): .+?\(RMON-MIB::risingAlarm\) .+?, 
RMON-MIB::alarmIndex\.(\d+) = ..
.+)
desc=Alarm threshold crossed.
action=assign %i $1;                                                     
  assign %x $3 $4;                                                      
  eval   %y ( $_ = '%x'; s/RMON-MIB:://g; s/OID:.+?:://g;           
                   s/INTEGER: //g; s/alarmIndex.+?,//; s/\balarm//g;     
                   $_ );                                                 
  assign %o Failed. risingAlarm gt 30 secs: %y;                     
  eval   %h ( require '/usr/local/nagios/etc/alarm_hostnames.pl' unless  
                            defined $ip2NagName{'%i'};                
                   $ip2NagName{'%i'} );                          
  write  /usr/local/nagios/var/rw/nagios.cmd ([%u] 
PROCESS_SERVICE_CHECK_RESULT;%h;%s;2;%o);  
  create risingAlarm_$1
 

>  or are you using something like NSCA client?
> 
> =20
> 
> Thanks,
> 
> Brian
> 
>

Let's delete all the ugly multi-part ..
 
> ------_=_NextPart_001_01C4DC8E.5F7FDE3E
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 

 .. snip 

<offtopic>
Here's a recently published LISA paper about real time log file analysis 
with SEC (SEC is also pretty fast).

http://www.cs.umb.edu/~rouilj/sec
</offtopic>

Yours sincerely.


-- 
Stanley Hopcroft

Network specialist, IT Infrastructure
IP Australia
Ph: (02) 6283 3189  Fax: (02) 6281 1353
PO Box 200 Woden  ACT 2606
http://www.ipaustralia.gov.au
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: disclaimer.txt
URL: <https://www.monitoring-lists.org/archive/users/attachments/20041208/d4bb8113/attachment.txt>