DX Infrastructure Manager

Expand all | Collapse all

ntevl configuration for two exact Events within a specific time

Jump to Best Answer
  • 1.  ntevl configuration for two exact Events within a specific time

    Posted 06-28-2017 07:31 AM

    Hi All,

     

    We are having CA UIM 8.4 installed on windows 2012 platform.

     

    Now we are having a requirement to monitor events which occurs more than or equal to 2 times with exact same message on event. But when we are using Event count>=2 with time frame 1 min-->we are getting alert for the second event even though the message varies.

     

     

    ntevl probe version: 4.24

     

    What we are running into is that we have a profile set up so that it should only send out an alarm if a single user tries to log into SQL 2 times within the same minute.

     

     

    What is happening is that we get an alarm for a the second user that was tried, so if I do 1 try with sa and 1 try with administrator I get the alarm on administrator.

     

     

    What we are actually looking for is no alarm under that condition, but if sa tries 2 times in less than a minute and it fails than they get an alarm for sa.

     

     

    Please suggest here.

     

    Regards,

    Manu

    +91 8754587671



  • 2.  Re: ntevl configuration for two exact Events within a specific time
    Best Answer

    Posted 06-28-2017 11:37 AM

    Hi ManuFair,

     

    I created a lua script for nas (rafale mode). Used in production by one of my customer. Your need seem pretty close : 

    GitHub - fraxken/rafale_mode: CA UIM Rafale_mode for NAS 

     

    It's originaly dedicated for logmon (but if you have a way to update the alarm message to add the rafale pattern it's good).

     

    For example if i understood your need : 

     

    My ntevl alarm message [2][60][5] 

     

    So if NAS catch 2 times this error in less than 60 seconds (with an alarm severity of 5) it will trigger an alarm with a message : Ny ntevl alarm message 

     

    Maybe it doesn't answer your need perfectly, but dont hesitate to copy and look how it has been made to work on your own solution to match the use case.

     

    Best Regards,

    Thomas



  • 3.  Re: ntevl configuration for two exact Events within a specific time

    Posted 07-06-2017 10:25 AM

    Thanks for the update.

     

    But I am not comfortable with scripting and can you please suggest what I need to do here to accomplish my target?

     

    Regards,

    Manu

    +91 8754587671



  • 4.  Re: ntevl configuration for two exact Events within a specific time

    Posted 07-12-2017 08:43 PM

    Hi ManuFair,

     

    I'm working on a perl probe that will match your need (to replace the LUA solution by a real high performance solution).

     

    https://github.com/UIM-Community/rafale

     

    Is not ready yet (i work a beta for the beginning of the next week). I have some work to make the script work with MSSQL and MySQL (to be ok for everyone).

     

    Look at the cfg : 

     

    <rafale-rules>
        <!-- Break on the first rafale rule matched, set to 'yes' by default -->
        exclusive_rafale = yes
        <100>
            <!-- Alarm field to match -->
            match_alarm_field = udata.message
            <!-- regexp to match on the field (like alarm_enrichment) -->
            match_alarm_regexp = .*Your\salarm\smessage\shere.*
            <!--
                Trigger an alarm if we have 2 alarm in less than 60 seconds with a severity of 5.
                Put no will reverse the behavior.
                Default value = yes
            -->

            trigger_alarm_on_match = yes
            <!-- Number of alarm rows we want to have the alarm before triggering a new one! -->
            required_alarm_rowcount = 2
            <!-- The interval where we want to check alarm rowcount (in second) -->
            required_alarm_interval = 60
            <!-- Alarm severity, if no value is entered it will leave no severity check -->
            required_alarm_severity = 5
        </100>
    </rafale-rules>

     

    The key "trigger_alarm_on_match" is not enougth clear. But the goal is to reverse the behavior (like i want an alarm if i dont have at least 2 rows in less than 60 seconds with a severity 5).

     

    I will keep you updated ! 

     

    Best Regards,

    Thomas