Update

simple-evcorr · Jan 26, 2018 · 30bae02 · 30bae02
1 parent 07c1a79
commit 30bae02
Show file tree

Hide file tree

Showing 15 changed files with 838 additions and 0 deletions.
diff --git a/bsd-MONITOR.sec → bsd/bsd-MONITOR.sec b/bsd-MONITOR.sec → bsd/bsd-MONITOR.sec
diff --git a/bsd-PHYSMOD.sec → bsd/bsd-PHYSMOD.sec b/bsd-PHYSMOD.sec → bsd/bsd-PHYSMOD.sec
diff --git a/bsd-USERACT.sec → bsd/bsd-USERACT.sec b/bsd-USERACT.sec → bsd/bsd-USERACT.sec
diff --git a/bsd-general.sec → bsd/bsd-general.sec b/bsd-general.sec → bsd/bsd-general.sec
diff --git a/bsd-mpd.sec → bsd/bsd-mpd.sec b/bsd-mpd.sec → bsd/bsd-mpd.sec
diff --git a/cisco-syslog.sec → cisco/cisco-syslog.sec b/cisco-syslog.sec → cisco/cisco-syslog.sec
diff --git a/pix-general.sec → cisco/pix-general.sec b/pix-general.sec → cisco/pix-general.sec
diff --git a/pix-security.sec → cisco/pix-security.sec b/pix-security.sec → cisco/pix-security.sec
diff --git a/pix-url.sec → cisco/pix-url.sec b/pix-url.sec → cisco/pix-url.sec
diff --git a/xymon/01control.sr b/xymon/01control.sr
@@ -0,0 +1,100 @@
+###############################################################################
+# Rules to allow Windows implementations to be controlled when
+# no signals are otherwise supported
+###############################################################################
+type=single
+continue=dontcont
+ptype=tvalue
+pattern=TRUE
+desc=don't apply these rules unless from control file.
+context=! CONTROL
+action=none
+
+###############################################################################
+type=single
+continue=takenext
+ptype=tvalue
+pattern=TRUE
+desc=report event processed.
+action=create EVENT_PROCESSED
+
+###############################################################################
+type = single
+continue=dontcont
+desc = do a full restart of SEC
+ptype = regexp
+pattern = ^reset
+action = lcall %r HUP -> ( sub { Sec2Xym::fake_signal_handler(@_) } );\
+         if %r ( logonly %r )
+
+###############################################################################
+type = single
+continue=dontcont
+desc = do a soft restart of SEC
+ptype = regexp
+pattern = ^reload
+action = lcall %r ABRT -> ( sub { Sec2Xym::fake_signal_handler(@_) } );\
+         if %r ( logonly %r )
+
+###############################################################################
+type = single
+continue=dontcont
+desc = dynamically cycle through logging verbosity levels
+ptype = regexp
+pattern = ^verbose
+action = lcall %r INT -> ( sub { Sec2Xym::fake_signal_handler(@_) } );\
+         if %r ( logonly %r )
+
+###############################################################################
+type = single
+continue=dontcont
+desc = write info about SEC state to the dump file
+ptype = regexp
+pattern = ^dumpstats
+action = lcall %r USR1 -> ( sub { Sec2Xym::fake_signal_handler(@_) } );\
+         if %r ( logonly %r )
+
+###############################################################################
+type = single
+continue=dontcont
+desc = close and reopen output logs
+ptype = regexp
+pattern = ^logrotate
+action = lcall %r USR2 -> ( sub { Sec2Xym::fake_signal_handler(@_) } );\
+         if %r ( logonly %r )
+
+###############################################################################
+type = single
+continue=dontcont
+desc = implement fake signal handling
+ptype = regexp
+pattern = ^kill (TERM|HUP|ABRT|USR1|USR2|INT)
+action = lcall %r $1 -> ( sub { Sec2Xym::fake_signal_handler(@_) } );\
+         if %r ( logonly %r )
+
+###############################################################################
+type = single
+continue=dontcont
+desc = test upstream Xymon server
+ptype = regexp
+pattern = ^ping
+action = lcall %r %XYMSRV 1984 ping -> ( sub { Sec2Xym::sendToXymon(@_) } );\
+         logonly %r
+
+###############################################################################
+type = single
+continue=dontcont
+desc = update configuration files stored on Xymon server
+ptype = regexp
+pattern = ^refresh_config
+action = lcall %r %XYMDL/SimpleEventCorrelator.sr %XYMDL/01control.sr %XYMDL/xymon.sr -> ( sub { Sec2Xym::refresh_config(@_) } ) ; logonly %r
+
+###############################################################################
+type = single
+continue=dontcont
+desc = toggle debug of Sec2Xym module
+ptype = regexp
+pattern = ^debug
+action = lcall %r -> ( sub { Sec2Xym::toggle_debug(@_) } ) ; logonly %r
+
+###############################################################################
diff --git a/xymon/CEPoller.sr b/xymon/CEPoller.sr
@@ -0,0 +1,63 @@
+################################################################################
+# Simple Event Correlation rules for the CEPoller log
+# v0.001 2017-10-09 First version
+################################################################################
+#
+# NB, you cannot use the # character within a rule, rules are terminated by a
+# blank line or the # comment character.  If you want to document within a
+# rule, use the rem keyword instead.
+#
+################################################################################
+
+################################################################################
+# SYNOPSIS RULE #1
+# dont apply these rules unless the context matches
+###############################################################################
+type=single
+continue=dontcont
+ptype=tvalue
+pattern=TRUE
+desc=don't apply these rules unless CE Poller log.
+context=! CEPOLLER
+action=none
+
+###############################################################################
+
+################################################################################
+# SYNOPSIS RULE #2
+# just process any lines observed on input containing the words FATAL or ERROR 
+################################################################################
+type=SingleWithSuppress
+ptype=RegExp
+pattern=(Mailbox Poller is already running)(.*)
+desc=Fatal error
+action= delete waiting_for_badstuff ;\
+        add bad_stuff_happening %t ;\
+        add bad_stuff_happening $0 ;\
+        empty bad_stuff_happening %msg ;\
+        lcall %r1 %null %COLUMN severe %LIFETIME %msg -> ( sub { Sec2Xym::XymonStatusUpdate(@_) } ) ;\
+        logonly %r1 ;\
+        set bad_stuff_happening 300 ( \
+               add bad_stuff_happening %t ;\
+               add bad_stuff_happening %COLUMN recovered;\
+               add bad_stuff_happening No more badstuff observed in last 5 minutes;\
+               copy bad_stuff_happening %msg ;\
+               lcall %r1 %null %COLUMN green %LIFETIME %msg -> ( sub { Sec2Xym::XymonStatusUpdate(@_) } ) ;\
+               logonly %r1 \
+             )
+window=2
+
+################################################################################
+# SYNOPSIS RULE #3
+# create hard link to newest log file in the parent directory
+# NB the subroutine refresh_logpath takes 2 arguments, the first is the name
+# of the link to be created and the second is the regex of candidate files
+################################################################################
+# not used # type = calendar
+# not used # time = * * * * *
+# not used # desc = relink current file
+# not used # action = lcall %relink D:\apps\tomcat\current\logs\pollerLog.log .*_log\.txt -> \
+# not used #                        ( sub { Sec2Xym::refresh_logpath(@_) } ) ;\
+# not used #                 if %relink  ( logonly %relink )
+
+################################################################################
diff --git a/xymon/README.pdf b/xymon/README.pdf
diff --git a/xymon/SimpleEventCorrelator.rc b/xymon/SimpleEventCorrelator.rc
@@ -0,0 +1,22 @@
+# SimpleEventCorrelator.rc
+# this file (SECRC) is read first, these settings are treated as
+# though they had been entered on the command line
+
+# pull in additional conf files
+--conf=etc/xymon.sr
+--intevents
+
+# define the log file to be scanned
+--conf=etc/CEPoller.sr
+--input=D:\apps\tomcat\current\logs\pollerLog.log=CEPOLLER
+--reopen-timeout=61
+
+# other useful settings
+--debug=6
+--dump=tmp/sec.dump
+
+--conf=etc/01control.sr
+--input=etc/control=CONTROL
+
+#--conf=etc/calendar.sr
+