View previous topic :: View next topic |
Author |
Message |
terje
Joined: 25 Jul 2005 Posts: 88 Location: Sydney
|
Posted: Wed Dec 12, 2007 4:52 am Post subject: Send Event details to external parsing script |
|
|
We make quite heavy use of the "NT Event Log" test to check up on all our customers networks. For example we like to watch for "unexpected reboot" or "UPS battery needs replacing" type of events. The current test logic allows quite a bit of flexibility in narrowing down the criteria that will be flagged as bad.
However one thing I would really like as an enhancement is to be able to send the text associated with an event to an external script for parsing and determining the status of the test. Either that or some more powerful inbuild logic tests.
For example I do a test on some sites on the Security log looking for events 528 with "Logon Type: 10" in the description (with text modified to include TAB character). Such events tell me that somebody has done a remote logon to the server (RPD) which lets me keep tabs on who is doing various things. However I'm only really interested in being alerted if the login is from external to the customers LAN so I would like to ignore such events if they also include the following text:-
"Source Network Address: 192.168.1."
Obviously I'm wishing for some more powerful parsing capabilities either in-build or via a mechanism that can pass the job to a script. |
|
Back to top |
|
|
KS-Soft Europe
Joined: 16 May 2006 Posts: 2832
|
Posted: Wed Dec 12, 2007 5:05 am Post subject: Re: Send Event details to external parsing script |
|
|
terje wrote: | However I'm only really interested in being alerted if the login is from external to the customers LAN so I would like to ignore such events if they also include the following text:-
"Source Network Address: 192.168.1." | Version 7.0 offers you the String comparison operator 'in'. So, you may use advanced mode action with expression like the following:
Code: | ('%SimpleStatus%'=='DOWN') and ('Source Network Address: 192.168.1.' in '%Reply%') |
Quote:
http://www.ks-soft.net/hostmon.eng/news.htm
===================================
22. String comparison operator 'in' is supported by "advanced actions" evaluator, e.g. you may setup expression like ('Error' in '%::Test1::Reply%')
===================================
Regards,
Max |
|
Back to top |
|
|
terje
Joined: 25 Jul 2005 Posts: 88 Location: Sydney
|
Posted: Thu Dec 13, 2007 12:43 am Post subject: |
|
|
Thanks.
That gives me the necessary incentive to upgrade. |
|
Back to top |
|
|
terje
Joined: 25 Jul 2005 Posts: 88 Location: Sydney
|
Posted: Wed Feb 13, 2008 6:24 pm Post subject: |
|
|
Okay I've upgraded and I think I have my head around the suggestion. As I understand it this approach won't change the fact that the test is changed to a BAD status it will merely allow me to do some advanced filtering before sending an email in response to that BAD status. However what I would really prefer to be able to do is to not have the test status change at all. As such I would really like to be able to do something like this:-
Test for an event log entry of type xyz. Take the description text from the event and either parse it using string operators within hostmonitor or pass it to an external script (with macro parameters) and based on that result decide if the test is GOOD or BAD.
A seemingly easy approach would be if in the EVENT LOG TEST PROPERTIES page, under the section called DESCRIPTION CONTAIN it was possible to prefix a string with some sort of NOT operator. So in my case you would have the following settings:-
COMPUTER = ANY
COMPUTER TYPE = ANY FROM THE FOLLOWING { Success Audit }
EVENT ID = ANY FROM THE FOLLOWING { 528 }
DESCRIPTION CONTAINS = ANY STRING FROM LIST { "Logon Type: 10", ~"192.168.1" }
Where ~ is the logical operator NOT.
Filtering at the alert level is helpful but it does not change the fact that a test is showing as BAD in the console.
|
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Thu Feb 14, 2008 10:18 am Post subject: |
|
|
Quote: | However what I would really prefer to be able to do is to not have the test status change at all. |
You may use Optional status processing
http://www.ks-soft.net/hostmon.eng/mframe.htm#tests.htm#usrstatusprocessing
E.g. you may enable "Use Normal status" option and provide expression like ('%SuggestedStatus%'=='DOWN') and ('Source Network Address: 192.168.1.' in '%SuggestedReply%')
Regards
Alex |
|
Back to top |
|
|
terje
Joined: 25 Jul 2005 Posts: 88 Location: Sydney
|
Posted: Tue Feb 19, 2008 8:22 pm Post subject: |
|
|
I had to use SimpleStatus as in:-
Quote: | ('%SuggestedSimpleStatus%'=='DOWN') and ('Source Network Address: 10.2.1.' in '%SuggestedReply%') |
but otherwise thats perfect. |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Wed Feb 20, 2008 11:07 am Post subject: |
|
|
Yes, should be '%SuggestedSimpleStatus%'=='DOWN'. My mistake
Regards
Alex |
|
Back to top |
|
|
terje
Joined: 25 Jul 2005 Posts: 88 Location: Sydney
|
Posted: Thu Mar 13, 2008 7:18 pm Post subject: |
|
|
Actually just for others that might want to use this it is worth mentioning that you may need to include a TAB character between "Source Network Address:" and the "10.2.1." |
|
Back to top |
|
|
|