Re: [nv-l] again a ruleset
2004-03-12 09:36:37
I keep trying to tell you that the ruleset
implementation on Windows is not complete, that it does not work
in the same fashion as on UNIX and that you will most likely have to abandon
this attempt. If you insist on pursuing your present course, then
you will have to open a problem to Support to have someone pursue the issue
in detail, if that is what you want. But the end result might simply
be a statement that what you want to do is not supported.
The simple fact is that IBM's
direction for event correlation is TEC, and funding for expanding rulesets
to make them work on Windows like they do on UNIX is not currently
available and not likely to be made available. That is why in all
probability, what you see is what you get.
So you will have to make a very hard
choice here. Complex rulesets will likely require a UNIX implementation.
So you have to get off Windows or give up rulesets for almost anything
other than an event display filter, which is what the Windows implementation
designed them to be. Look at the samples and you will see what I
mean. They are quite trivial, and not even all of those work correctly,
as I mentioned before.
In a nutshell, then you must open a
problem for an official answer or find another solution.
James Shanks
Level 3 Support for Tivoli NetView for UNIX and Windows
Tivoli Software / IBM Software Group
lucian.vanghele AT bisnet DOT ro
Sent by: owner-nv-l AT lists.us.ibm DOT com
03/12/2004 08:57 AM
|
To
| nv-l AT lists.us.ibm DOT com
|
cc
|
|
Subject
| [nv-l] again a ruleset |
|
I'm back with my ruleset problem. this is the ruleset I'm trying to fire-up
on Windows:
RuleSet33 RuleSet EventAttr34 EventAttr42
"" 0
EventAttr34 EventAttr EventAttr35 EventAttr40
Specific 0 5 "" 0
EventAttr35 EventAttr AttrDelay36
Origin 0 192.168.4.84 "" 0
AttrDelay36 AttrDelay EventAttr37
"" 0 "" 180 "" 0 0 0 "Origin Origin
0~"
EventAttr37 EventAttr AttrJoin38
Specific 0 5 "" 0
AttrJoin38 AttrJoin UserExit39
"" 0 "" 600 "" 0 "Specific Specific
0~"
UserExit39 UserExit
" set >>loglog" 0 0 0 ""
EventAttr40 EventAttr AttrDelay41
Origin 0 192.168.4.83 "" 0
AttrDelay41 AttrDelay AttrJoin38.2
"" 0 "" 180 "" 0 0 0 "Origin Origin
0~"
EventAttr42 EventAttr EventAttr43 EventAttr44
Specific 0 9 "" 0
EventAttr43 EventAttr AttrDelay36.2
Origin 0 192.168.4.84 "" 0
EventAttr44 EventAttr AttrDelay41.2
Origin 0 192.168.4.83 "" 0
and this is the log file (nvcordd.log):
2004/03/12 15:48:48 : loading for correlationAppl 0x00FB0080
2004/03/12 15:48:48 : CorrDnode=0x01050038 ForwardCorr ap=0x00000000
2004/03/12 15:48:48 : new ap=0x00FB0080
2004/03/12 15:48:48 : UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 : UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 : UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 : UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 : Adding dnode to CorrelationDefinitionRuleSet
2004/03/12 15:48:48 : ===> Processing actions for regula.rs
2004/03/12 15:48:48 : ===> Completed actions for regula.rs forwards=0
overrides=0 resolves=0
2004/03/12 15:48:48 : ===> trap (6, 5)
2004/03/12 15:48:52 : Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
2004/03/12 15:48:52 : Attr(Generic='(ulong,6)')
2004/03/12 15:48:52 : Attr(Specific='5')
2004/03/12 15:48:52 : Received event CID(1) sysOID(1.3.6.1.2.1.318)
Gen(6) Spec(5)
2004/03/12 15:48:52 : ===> Processing Event ===========================
1
of 1
Event CID(1) 15:48:52
Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
Attr(Generic='(ulong,6)')
Attr(Specific='5')
2004/03/12 15:48:52 : RootDnode::resolveRootDnode() = TRUE
2004/03/12 15:48:52 : RuleSet::resolve() RuleSetName =regula.rs
2004/03/12 15:48:52 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 5)) (ulong,5)
CONTINUE
2004/03/12 15:48:52 : Attr(Origin='(ulong,1409591488)')
2004/03/12 15:48:52 : Attr(sysUpTime='(ulong,1)')
2004/03/12 15:48:52 : Attr(Community='(char,)')
2004/03/12 15:48:52 : Attr(Category='(ulong,2)')
2004/03/12 15:48:52 : Attr(Source='(char,?)')
2004/03/12 15:48:52 : Attr(Severity='(ulong,1)')
2004/03/12 15:48:52 : EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.84)) (char,192.168.4.84) CONTINUE
2004/03/12 15:48:56 : ResetOnMatch:(7) event is being SAVED
2004/03/12 15:48:56 : EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.83)) (char,192.168.4.84) STOP
2004/03/12 15:49:01 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 9)) (ulong,5)
STOP
2004/03/12 15:49:01 : Ruleset regula.rs got 0
2004/03/12 15:49:01 : ===> Processing actions for regula.rs
2004/03/12 15:49:01 : ===> Completed actions for regula.rs forwards=0
overrides=0 resolves=0
2004/03/12 15:49:01 : ===> Finished with the trap
====================================
2004/03/12 15:49:01 : ===> trap (6, 5)
2004/03/12 15:49:01 : Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
2004/03/12 15:49:01 : Attr(Generic='(ulong,6)')
2004/03/12 15:49:01 : Attr(Specific='5')
2004/03/12 15:49:01 : Received event CID(2) sysOID(1.3.6.1.2.1.318)
Gen(6) Spec(5)
2004/03/12 15:49:01 : ===> Processing Event ===========================
1
of 1
Event CID(2) 15:49:01
Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
Attr(Generic='(ulong,6)')
Attr(Specific='5')
2004/03/12 15:49:01 : RootDnode::resolveRootDnode() = TRUE
2004/03/12 15:49:01 : RuleSet::resolve() RuleSetName =regula.rs
2004/03/12 15:49:01 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 5)) (ulong,5)
CONTINUE
2004/03/12 15:49:01 : Attr(Origin='(ulong,1392814272)')
2004/03/12 15:49:01 : Attr(sysUpTime='(ulong,1)')
2004/03/12 15:49:01 : Attr(Community='(char,)')
2004/03/12 15:49:01 : Attr(Category='(ulong,2)')
2004/03/12 15:49:01 : Attr(Source='(char,?)')
2004/03/12 15:49:01 : Attr(Severity='(ulong,1)')
2004/03/12 15:49:01 : EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.84)) (char,192.168.4.83) STOP
2004/03/12 15:49:05 : EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.83)) (char,192.168.4.83) CONTINUE
2004/03/12 15:49:10 : ResetOnMatch:(14) event is being SAVED
2004/03/12 15:49:10 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 9)) (ulong,5)
STOP
2004/03/12 15:49:10 : Ruleset regula.rs got 0
2004/03/12 15:49:10 : ===> Processing actions for regula.rs
2004/03/12 15:49:10 : ===> Completed actions for regula.rs forwards=0
overrides=0 resolves=0
2004/03/12 15:49:10 : ===> Finished with the trap
====================================
2004/03/12 15:49:10 : ===> Processing time events
================================
2004/03/12 15:50:10 : ResetOnMatch::processHeartbeat(7)
RuleSetName=regula.rs
2004/03/12 15:50:10 : ResetOnMatch::processHeartbeat (7)setting
heartbeatInterval = 102 for:Event(CID(1),
Attr(EnterpriseID='(char,1.3.6.1.2.1.318)') Attr(Generic='(ulong,6)')
Attr(Specific='5') Attr(Origin='(ulong,1409591488)')
Attr(sysUpTime='(ulong,1)') Attr(Community='(char,)')
Attr(Category='(ulong,2)') Attr(Source='(char,?)')
Attr(Severity='(ulong,1)'))
2004/03/12 15:50:10 : ResetOnMatch:::processHeartbeat(7) finished
processing heartbeat.
2004/03/12 15:50:10 : ResetOnMatch::processHeartbeat(14)
RuleSetName=regula.rs
2004/03/12 15:50:10 : ResetOnMatch::processHeartbeat (14)setting
heartbeatInterval = 111 for:Event(CID(2),
Attr(EnterpriseID='(char,1.3.6.1.2.1.318)') Attr(Generic='(ulong,6)')
Attr(Specific='5') Attr(Origin='(ulong,1392814272)')
Attr(sysUpTime='(ulong,1)') Attr(Community='(char,)')
Attr(Category='(ulong,2)') Attr(Source='(char,?)')
Attr(Severity='(ulong,1)'))
2004/03/12 15:50:10 : ResetOnMatch:::processHeartbeat(14) finished
processing heartbeat.
2004/03/12 15:50:10 : ===> Processing time events
================================
2004/03/12 15:51:10 : ===> Processing time events
================================
2004/03/12 15:52:10 : ResetOnMatch::processHeartbeat(7)
RuleSetName=regula.rs
2004/03/12 15:52:10 : ResetOnMatch::processHeartbeat
RESOLVING:Event(CID(1), Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
Attr(Generic='(ulong,6)') Attr(Specific='5')
Attr(Origin='(ulong,1409591488)') Attr(sysUpTime='(ulong,1)')
Attr(Community='(char,)') Attr(Category='(ulong,2)')
Attr(Source='(char,?)') Attr(Severity='(ulong,1)'))
2004/03/12 15:52:10 : ResetOnMatch::processHeartbeat(7)
RESOLVING:Event(CID(1), Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
Attr(Generic='(ulong,6)') Attr(Specific='5')
Attr(Origin='(ulong,1409591488)') Attr(sysUpTime='(ulong,1)')
Attr(Community='(char,)') Attr(Category='(ulong,2)')
Attr(Source='(char,?)') Attr(Severity='(ulong,1)'))
I don't understand why the events don't go to the Pass on Match node after
waiting 3 minutes in Reset on Match!! On Linux that rule works ok....Also,
on Windows, a simple rule (just 2 event attribute, one Pass on match and
an
inline action) also works fine!
thanks
Lucian vanghele
|
|
|