DX Unified Infrastructure Management

The alarm.set() function requires an argument of a table containing the new message fields.  However, the NAS whitepaper says that only the following fields can be modified by alarm.set():

• message
• level / severity
• sid
• user_tag1
• user_tag2
• visible
• escalated

Even though alarm.set() does not support modifying the hostname, you can do it with a custom pre-processing rule.  The script gets a table named event, which contains all of the fields of the alarm.  Only some of them may be changed by the script, but this includes hostname.  The event table needs to be returned at the end of the script.  Page 22 of the NAS whitepaper has a good description of custom pre-processing rules.

-Keith

Nice!

Ok - I've got that part working, now to avoid maintaining a lookup table within the script I would like to use the subsystemid from the event table to lookup the subsystem name.

Is there an API to do this or a way to query it from the event or another table so I don't have to parse the nas.cfg file?

Thanks,
Chris

I thought I had it figured out. The following script will get the subsys (subsystem name) value when I run it in the script editor, but when I run it via a preprocessing profile I get the following error:

Jul 30 12:15:36:141  nas: OVERRIDE BY RULE 'TEST - Set HostName' - msg:Test Message for subsystem: Private\Blackbaud\OnDemand\BBNC\Client,src:CHRISTOPHERHA,sev:3
Jul 30 12:15:36:141  nas: PREPROCESSOR ERROR: scripts/bb-preprocessing-sethostname:6: attempt to index global 'database' (a nil value)


Script:
-- Open the NAS database
database.open()
-- Query for the subsystem name
rs = database.query("select distinct subsys from NAS_EVENTS where sid = 3.1.1.1")
print("#rs: "..#rs)
--for i=1,#rs do
--  print (rs.subsys)
--end
database.close()

Chris,

It looks like the script does not have the database table defined even though the NAS Lua is supposed to provide it.  I wonder if some of the NAS-specific Lua extensions are unavailable in pre-processing rules.  I have heard warnings to use custom pre-processing with care because they kind of get run in the middle of the normal alarm message processing.  While I have not seen any information to indicate that some of the extensions are not availalble in pre-processing rules, it is possible.

I think we will need Carstein to chime in on this one.  (He is currently out of the office, but I think he comes back next week.)

-Keith

For alarms generated by the url_response probe, it is possible to 'spoof' the source of the alarm so that it appears to come from the target system. To do this open the test profile and toggle the 'Advanced' button in the bottom right corner.  This will expose a number of additional fields.  The one of interest is the 'Alarm Source Override" field.

The alarm source override field allows you to place in it an arbitrary string.  Most often, an IP address of the targeted url.  The contents of the field are used as the source field in the alarm message that is delivered to the NAS.  The NAS then performs a dns (name) lookup based upon the source field and places the result in the hostname field of the alarm.

When this feature was introduced it was intended to provide a way for the source and hostname in the alarm to reflect the system that was in trouble rather than the system from which the url_response tests were being performed.

The net_connect probe has a slightly different method for setting the source field. Near the bottom of each alarm profile properties page, there is an identification method pulldown.  The pulldown offers Host Name, IP Address, or Profile Name.  Hostname and IP Address refer to the contents of the first two fields at the top of the properties sheet.  The Profile Name refers of course to the name of the profile.  By setting this pulldown, you can decide which of these three fields are sent to the alarm server as the source of the alarm.  Usually, the best choice is IP address.  Again, when source arrives at the nas, the hostname is looked up and then both are available in the alarm attributes for filtering and organizing the alarms.

Many other probes, such as the logmon probe, have an alarm source override field.  The biggest trick is making use of name resolution on the NAS.  Whatever it finds in the source field is used in a reverse lookup to try to obtain a hostname.  One could conceivably build an /etc/hosts file beneath the NAS and cause the nas to do some interesting and useful translation.

Enjoy.

Great info, Paul!  Thanks for sharing.  I should have remembered that net_connect had a source override option, but I do not think I ever knew that about url_response.  That is a great feature; I have used it on several probes, including the database probes.

If you do not wish to worry about the IP-to-name mapping, you can always use a text string in the source field.  The NAS is unable to do a reverse lookup if it gets a string rather than an IP address, so then the value of the source field is copied to the hostname field.

-Keith

Great info guys!!!

Thank you very much.

-Chris