[c-nsp] RANCID and SEC (Simple Event Correlator)
Christian Zeng
christian at zengl.net
Mon Feb 27 11:52:24 EST 2006
Hi,
you must suppress further events after the first event occurred. SEC has
the 'SingleWithSuppress' event type for this task:
type=SingleWithSuppress
ptype=RegExp
pattern=<SYS-5-CONFIG regex>
desc=$0
action=<lauch RANCID here>
window=<time in seconds to ignore subsequent events>
This will lauch 'action' when 'pattern' is logged. Subsequent 'pattern'
will be ignored for 'window' seconds.
Include in the 'pattern' regex the logged hostname/IP address. If you
only cover the 'SYS-5-CONFIG' statement, this rule will cover and
possibly suppress messages from *all* hosts.
More complicated event reduction tasks can be done with contexts; SEC is
very powerful in this area. But for this task, SingleWithSuppress should
be fine.
You may want to read SECs excellent man page; the website has links to
online references, too.
Good luck,
Christian
More information about the cisco-nsp
mailing list