[c-nsp] RANCID and SEC (Simple Event Correlator)

Christian Zeng christian at zengl.net
Mon Feb 27 11:52:24 EST 2006


Hi,

you must suppress further events after the first event occurred. SEC has
the 'SingleWithSuppress' event type for this task:

type=SingleWithSuppress
ptype=RegExp
pattern=<SYS-5-CONFIG regex>
desc=$0
action=<lauch RANCID here>
window=<time in seconds to ignore subsequent events>

This will lauch 'action' when 'pattern' is logged. Subsequent 'pattern'
will be ignored for 'window' seconds.

Include in the 'pattern' regex the logged hostname/IP address. If you
only cover the 'SYS-5-CONFIG' statement, this rule will cover and
possibly suppress messages from *all* hosts.

More complicated event reduction tasks can be done with contexts; SEC is
very powerful in this area. But for this task, SingleWithSuppress should
be fine.

You may want to read SECs excellent man page; the website has links to
online references, too.

Good luck,


Christian


More information about the cisco-nsp mailing list