RE: [nv-l] Ruleset Correlation

2004-05-28 13:02:28
Subject: RE: [nv-l] Ruleset Correlation
From: "Barr, Scott" <Scott_Barr AT csgsystems DOT com>
To: <nv-l AT lists.us.ibm DOT com>
Date: Fri, 28 May 2004 11:33:27 -0500
Stephen I use postemsg because I don't own TEC and that's what the TEC integration person chose to use. Doesn't really matter too much to me. We have LOTS of custom traps and supposedly that was a better choice. Can't comment as I am not really TEC savvy.
As far as the timing issue goes... I Had observed problem with single threading my listener calls, but after research I figured out how to code the PERL script (listener) to handle up to N number of sockets (n currently equals 100) The events do occur almost simultaneously, but the listener reflects receiving 34, and also reflects generating the 34 up traps. So if it is a timing issue, it doesn't show up through my logging. The PERL script does check for the return code from postemsg, but since the notification script was only called 12 times, and all 12 were successful that doesn't really narrow it down very much.
I am just still thinking that maybe there is a problem trying to have 34 correlated up/down events simultaneously. Is there a correlation "queue" for each ruleset or one global "queue" ? Is there a way to dump/display whats in that queue?

From: owner-nv-l AT lists.us.ibm DOT com [mailto:owner-nv-l AT lists.us.ibm DOT com] On Behalf Of Stephen Hochstetler
Sent: Friday, May 28, 2004 11:14 AM
To: nv-l AT lists.us.ibm DOT com
Subject: RE: [nv-l] Ruleset Correlation


I like your system. I have done something similar for managing a non-IP satelite network once. I did not use a listner since I simply did fast grep on a file to get the parsing that I needed to see if this alarm should be forwarded or not.

You say your listner is generating all 34 events...so I assume you see those in trapd.log. But that only 12 made it to TEC. Why are you using postemsg instead of the TEC adapter? I thought a benefit of the adapter was that it would queue the event if it did not get it sent.

Have you checked a timing issue...for example..if you get 3 events at the same time....is the process single threaded somewhere where only 1 gets forwarded to TEC successfully? If you are calling postemsg within a perl script...can you check for valid return codes?

Have you verified in the TEC reception database that only 12 was received?

Stephen Hochstetler shochste AT us.ibm DOT com
International Technical Support Organization at IBM
Office - 512-838-6198 (t/l 678) FAX - 512-838-6931

<Prev in Thread] Current Thread [Next in Thread>