DX Infrastructure Manager

Expand all | Collapse all

How to change the hostname on an alert?

  • 1.  How to change the hostname on an alert?

    Posted 07-30-2009 06:40 PM
    I have my emailgtw configured so that the hostname is included in the subject of the email. Generally this works well, but for probes like url_response and net_connect the hostname is the same for all alerts and loses its value.

    I'm trying to write a script which will modify the hostname on an alert when it is received by the NAS but so far it's not working. (example below) Can someone tell me if this is in fact possible, and if so what I'm doing wrong?

    Script:

    a = alarm.get()
    printf ("a.hostname: "..a.hostname)
    if a ~=nil then
       a.hostname = "test"
       alarm.set()
    end



  • 2.  How to change the hostname on an alert?

    Posted 07-30-2009 07:30 PM
    The alarm.set() function requires an argument of a table containing the new message fields.  However, the NAS whitepaper says that only the following fields can be modified by alarm.set():
    • message
    • level / severity
    • sid
    • user_tag1
    • user_tag2
    • visible
    • escalated
    Even though alarm.set() does not support modifying the hostname, you can do it with a custom pre-processing rule.  The script gets a table named event, which contains all of the fields of the alarm.  Only some of them may be changed by the script, but this includes hostname.  The event table needs to be returned at the end of the script.  Page 22 of the NAS whitepaper has a good description of custom pre-processing rules.

    -Keith


  • 3.  How to change the hostname on an alert?

    Posted 07-30-2009 08:17 PM
    Nice!

    Ok - I've got that part working, now to avoid maintaining a lookup table within the script I would like to use the subsystemid from the event table to lookup the subsystem name.

    Is there an API to do this or a way to query it from the event or another table so I don't have to parse the nas.cfg file?

    Thanks,
    Chris


  • 4.  How to change the hostname on an alert?

    Posted 07-30-2009 10:17 PM
    I thought I had it figured out. The following script will get the subsys (subsystem name) value when I run it in the script editor, but when I run it via a preprocessing profile I get the following error:

    Jul 30 12:15:36:141  nas: OVERRIDE BY RULE 'TEST - Set HostName' - msg:Test Message for subsystem: Private\Blackbaud\OnDemand\BBNC\Client,src:CHRISTOPHERHA,sev:3
    Jul 30 12:15:36:141  nas: PREPROCESSOR ERROR: scripts/bb-preprocessing-sethostname:6: attempt to index global 'database' (a nil value)


    Script:
    -- Open the NAS database
    database.open()
    -- Query for the subsystem name
    rs = database.query("select distinct subsys from NAS_EVENTS where sid = 3.1.1.1")
    print("#rs: "..#rs)
    --for i=1,#rs do
    --  print (rs.subsys)
    --end
    database.close()


  • 5.  How to change the hostname on an alert?

    Posted 07-31-2009 01:07 AM
    Chris,

    It looks like the script does not have the database table defined even though the NAS Lua is supposed to provide it.  I wonder if some of the NAS-specific Lua extensions are unavailable in pre-processing rules.  I have heard warnings to use custom pre-processing with care because they kind of get run in the middle of the normal alarm message processing.  While I have not seen any information to indicate that some of the extensions are not availalble in pre-processing rules, it is possible.

    I think we will need Carstein to chime in on this one.  (He is currently out of the office, but I think he comes back next week.)

    -Keith


  • 6.  How to change the hostname on an alert?

    Posted 07-31-2009 02:15 PM
    For alarms generated by the url_response probe, it is possible to 'spoof' the source of the alarm so that it appears to come from the target system. To do this open the test profile and toggle the 'Advanced' button in the bottom right corner.  This will expose a number of additional fields.  The one of interest is the 'Alarm Source Override" field.

    The alarm source override field allows you to place in it an arbitrary string.  Most often, an IP address of the targeted url.  The contents of the field are used as the source field in the alarm message that is delivered to the NAS.  The NAS then performs a dns (name) lookup based upon the source field and places the result in the hostname field of the alarm.

    When this feature was introduced it was intended to provide a way for the source and hostname in the alarm to reflect the system that was in trouble rather than the system from which the url_response tests were being performed.

    The net_connect probe has a slightly different method for setting the source field. Near the bottom of each alarm profile properties page, there is an identification method pulldown.  The pulldown offers Host Name, IP Address, or Profile Name.  Hostname and IP Address refer to the contents of the first two fields at the top of the properties sheet.  The Profile Name refers of course to the name of the profile.  By setting this pulldown, you can decide which of these three fields are sent to the alarm server as the source of the alarm.  Usually, the best choice is IP address.  Again, when source arrives at the nas, the hostname is looked up and then both are available in the alarm attributes for filtering and organizing the alarms.

    Many other probes, such as the logmon probe, have an alarm source override field.  The biggest trick is making use of name resolution on the NAS.  Whatever it finds in the source field is used in a reverse lookup to try to obtain a hostname.  One could conceivably build an /etc/hosts file beneath the NAS and cause the nas to do some interesting and useful translation.

    Enjoy.




  • 7.  How to change the hostname on an alert?

    Posted 07-31-2009 06:31 PM
    Great info, Paul!  Thanks for sharing.  I should have remembered that net_connect had a source override option, but I do not think I ever knew that about url_response.  That is a great feature; I have used it on several probes, including the database probes.

    If you do not wish to worry about the IP-to-name mapping, you can always use a text string in the source field.  The NAS is unable to do a reverse lookup if it gets a string rather than an IP address, so then the value of the source field is copied to the hostname field.

    -Keith


  • 8.  How to change the hostname on an alert?

    Posted 07-31-2009 08:05 PM
    Great info guys!!!

    Thank you very much.

    -Chris