  | Administrator
Handbook | TOC |
Event filters creation
Introduction
Event filters are used to trigger action when an event or
a trap is received by LoriotPro. For each Event or Trap, multiple filters
can
be
defined and thus multiple actions can be generated. Action can be used to
send an E-mail, play a sound , start a program...
To create a filter you have the choice between three methods:
1. Invoke the wizard from a received
Event. This is the easiest method because the filter will be created automatically
and you will only have to choose the action.
2. Invoke the wizard from the filter
tree. This method need to know the Event number that you want to filter.
3. Open the Filter file and edit the
file. This method is recommended if you want to create a lot of filter that
are similar.
A filter for an Event is define by a line in the trapfilter.txt
without Crand starting with the keyword event. An Event
filter could contain six to seven parameters.
Example : event 210 0.0.0.0 0.0.0.0 4 wave "wave/loriotgoup.wav"
Invoking Wizard from a received Event
Like in the Trap window, the Global Event window has a contextual
menu with the option Event Filter Wizard.
This option is used to create a Filter from a received Event. If you do not
have a chance to receive and Event and you want to create Filter you cannot
use this option and you must use the Filter Tree.
Select an Event from the Global Event Window and right click
to call the contextual menu.
>Event Filter Wizard…
The creation of a new action for this Event is proposed. The
current event parameter will be used to define the action.
The filter creation window is displayed with the current action
parameters.
Event filter window(Wizard)
The IP address field allows you to filter the source IP address
The mask allows you to extend the filter to a network instead
of a single IP host.
The Strings allow you to make filter based on character strings
contained in the message itself.
The List box Action Wizard allows you to select an action
type among the list. The Action parameter allows you to define the additional
parameters that will be used by the program.
Action - Play sound
Select a wave file. You should have a wav file player installed.
Action - Start Windows Program and Start DOS program
Select a program.
Action – Send Syslog message :
Enter the IP address of the Syslog server.
Action Forward to Custom window
A window is displayed asking you to select in which Custom
window you want to display the action.
Event Custom Selection (Wizard)
Custom Windows are available under the three Tab of the Global
Event Window.
Custom 1
Custom 2 
Custom
3 
Action - Forward to another LoriotPro
Enter the address of the LoriotPro server to which you want
to forward the event.
Action Send E-mail
Enter the Email address of the receiver.
Warning: The SMTP Scheduler service should
be installed for this option to work.
Once you have set the action you can define the parameter
string attached to this action.
For example, if you send an E-mail you can provide the Message
by specifying the %m value as in the following screenshot.
Finally you can adjust the behavior of the filter by setting
thdeshold.
| Match All |
All the times the Filter will
match the action will be triggered |
| Match only First |
Given a Trap Filter Counter
initially at 0, only the first time the filter will match the action
will be triggered. |
| Match only X |
Given a Trap Filter Counter
initially at 0, only the first X filter matches will triggered the action. |
| Match after X |
Given a Trap Filter Counter
initially at 0, after X filter matches, each new Filter match
will trigger an action. |
| Match if supposed burst for
time interval <= |
Evaluate the number of Filter
matched during a specific time interval and trigger the action if the
value is superior to the threshold |
| Match Every X |
Trigger the action each X filter
match |
Invoking Wizard from the Filter Tree
We have seen that the Event Filter Wizard allows you
to create filters in a simple way. The Wizard could also be called directly
from the Filter tree by selecting an Event in the tree and right clicking.
Select th
>New Event Filter…
This time, an empty creation window is displayed.
Form there you can either choose an existing Event in the
List or register a new Event by calling the Wizard.
The Wizard button calls the advanced window that help you
to create the character string that will be used in the command line.
Warning: The creation window adds the new
created filter at the end of the bottom of the tree and the trapfilter.txt
is automatically saved when you leave it. If you want to re-order the filter
you should manually edit the trapfilter.txt file, save it after modification
and do a refresh of the window from the menu « Configure>Traps/Events
Filter ».
Event filters syntax
The following table displays the syntax to use in Event filter.
Table of Event filters syntax
| Parameters |
Examples |
Definitions |
| event |
Event |
The keyword event starts each
new line defining a filter and is uses by the compiler. |
| number |
210 |
The reference number of the event
The list is defined in the events.txt file. |
| IP |
0.0.0.0 |
The two following parameters
are used to trigger an action if the source address of the packet match
the filter.
The rule below is applied :
IF IP_SOURCE_RECEIVED AND IP_MASK = IP THEN
action
Example :
With IP received = 10.33.10.121
If rule with IP = 0.0.0.0 IP_MASK =0.0.0.0 then all IP
addresses trigger the action)
If rule with IP=10.33.0.0 IP_MASK=255.255.0.0 then the
action is triggered because 10.33.10.121 pertains to network 10.33.0.0
If rule with IP=20.0.0.0 IP_MASK=255.0.0.0 then no action
is triggered because 10.33.10.121 does not pertain to network 20.0.0.0)
To select a unique address
example : 192.168.10.1 code the action below
Action 192.168.10.1 255.255.255.255 |
| The level of severity assign to
this event |
4 |
Value from 0 to 10 are use to
assign a level of severity to the Trap. The level allow a display of
Trap in different colors in the Global Event window. |
| Action type |
Play sound |
The type of action to trigger
if all the IP address condition is satisfied.
See next table. |
| command |
"wave/linedown.wav" |
A character string, quote delimited,
containing the parameter use in the command line.
See next table. |
| |
|
|
|
Variables of Event
| Variables |
Value assigned |
| %r %R |
Event number |
| %i %I |
IP address of the sending agent |
| %T |
Local Time stamp |
| %l |
Severity level |
| %m |
The message generated by the
Event |
Action list
| Actions |
Commande |
| 
|
Play a sound :
The string of command line parameters should contain
the full path to a wave file. The string could contain variables.
Example:
Wave "wave/chord.wav" |
| 
|
Start a Windows type program :
The string of command line parameters should contain
the full path to an Window executable file. The string could contain
variables
Example:
telnet "telnet %i" |
| 
|
Start a DOS type program :
The string of command line parameters should contain
the full path to an Window executable file. The string could contain
variables identical to the Trap filter string
Example:
Dosrun "telnet %i" |
| 
|
Send a Syslog message :
The string of command line parameters contains the IP
address of the Syslog server and others variables.
Example:
syslog "10.33.10.126 %r for %n from %i from proxy [%p] Request
from station [%0]" |
| 
|
Create a Mail message in the
Mail spooler
The string of command line parameters should contain
The E-mail address and other variables.
Example :
smtp "unknow@domain.com Authentication fail %i %m " |
| 
|
Display the Trap in the custom
window 1 to 3 and their varaibles.
Example:
Custom "1 %n for Agent %i proxy [%p] $0->%0 $1->%1
$2->%2 $3->%3" |
| 
|
Route the event to another LoriotPro
server. The command line contain the IP address destination and the
UDP port use on the remote LoriotPro for Event receiving.
Example:
Route “10.33.10.126 5001” |
| Nul |
Do nothing |
Remark: You could define several filters for the same Event
type with different associated actions and different address filters.
Example
event 101 0.0.0.0 0.0.0.0 1 wave "wave/%igodown.wav"
event 101 10.33.10.121 255.255.255.255 4 custom 1
event 101 0.0.0.0 0.0.0.0 2 custom 2
event 10002 0.0.0.0 0.0.0.0 4 custom 2
event 101 10.0.0.0 255.0.0.0 1 wave "wave/hostgodown.wav"
event 101 0.0.0.0 0.0.0.0 1 smtp "ludo4@test.com %i form %I host go down"
event 100 0.0.0.0 0.0.0.0 1 wave "wave/%igoup.wav"
event 100 0.0.0.0 0.0.0.0 1 winrun "telnet %i"
event 100 20.0.0.0 0.0.0.0 1 wave "wave/chord.wav"
event 100 30.0.0.0 0.0.0.0 1 wave "wave/chord.wav"
event 101 00.0.0.0 0.0.0.0 1 route "10.33.10.122 5001"
event 210 0.0.0.0 0.0.0.0 4 wave "wave/loriotgoup.wav"
event 211 0.0.0.0 0.0.0.0 4 wave "wave/loriotgodown.wav"
event 214 10.33.10.121 255.255.255.255 1 wave "ding.wav"
event 214 0.0.0.0 0.0.0.0 1 null "empty"
event 1 10.33.10.121 255.255.255.255 1 wave "wave/ding.wav"
event 100005 0.0.0.0 0.0.0.0 4 dosrun "toto.bat '%m'"
Refresh Traps Filters Menu
Event Filter file
The Event Filters arer defined in the same file as the Trap
filters.
The trapfilter.txt is located in the /bin directory.
It contains few trap and event filters that could help you as examples to
create and customize you management server.
Trapfilter.txt file
# trapfilter.txt file used by LoriotPro (c) 1999-2002, all rights
Reserved Ludovic Lecointe
#
# This file was loaded at the start of LoriotPro
# It is possible to refresh the trap filter in the event docking window
with the context menu
# or when you go to the mib compiler module
#
# For the smtp action install and configure the SmtpEventScheduler.sp service
plugin
#####################################################################################
#
# Available parameters and syntax for trap string
#------------------------------------------------
#
# %r reference
# %i agent ip address
# %p proxy ip address
# %t timestamp gived by agent in trap packet
# %T timestamp local
# %0 to %9 buffer parameters of the trap if exist
# $0 to $9 name parameters of the trap if exist
# %n ObjId of the trap
# %N name of the trap if exist
# %l level of the trap
#
# 7 colonnes define the trap
#
# 1 trap
# 2 ObjID for trap generic 6
# 3 trap generic number 1 a 6 (1-5) reserved 6 interprise: put 6 for notification
V2c or V3
# 4 trap specific number x for interprise trap: put 0 for notification V2c
or V3
# 5 trap level for syslog or action in event manager
# 6 "string with variables"
# 7 event level (300 by default or sup to 10000 for custom.
#
if 0 the event was not generated but the only the actions
#
# Available parameters and syntax for action string (a same then for trap)
#------------------------------------------------
#
# 6 colonnes define trap action
#
# 1 action
keyword
# 2 ip add
# 3 ip mask
# 4 community (* = any)
# 5 action (wave winrun dosrun syslog)
#
wave "wave/linedown.wav"
#
winrun "telnet %i"
#
dosrun "dir *.*"
#
syslog "10.33.10.126 string with variable"
#
trap "10.33.10.129" (reroute the trap to 10.33.10.129)
#
smtp "name@domain.com string with variable"
# 6 "string with variable running"
#
#
#
# Available parameters and syntax for event string
#------------------------------------------------
#
# %i %I agent ip address
# %m message of the event (the '<x>' information at the start of the
message is replaced
#
by ' x ' if you use the dosrun or winrun action.
# %r %R ref of the event (number)
# %T timestamp local
# %l level for this action
#
# 7 colonnes define event action
#
# 1 event
keyword
# 2 number (reference of the event see events.txt
file)
# 3 ip add
# 4 ip mask
# 5 level (number) assign one level for
this event and this ip/mask selection
# 6 action (wave winrun dosrun syslog custom null)
#
wave "soubd/ding.wav"
#
winrun "telnet %i"
#
dosrun "dir *.*"
#
syslog "10.33.10.126 string with variable"
# smtp
"name@domain.com string with variable)
#
custom 1 (1 2 or 3 to display the alert in custom alert list box)
#
null null
# 7 "string with variable running"
################################################################################
#########################################################################
#trap /action configuration
#########################################################################
#V2c or V3 notification sample
trap enterprises.9.9.43.2.0.1 6 0 1 "%n for Agent %i proxy [%p]
$0->%0 $1->%1 $2->%2 $3->%3"
action 10.33.10.121 255.255.255.255 * wave "wave/chord.wav"
trap ciscoMgmt.41.2 6 1 1 "%n for Agent %i proxy [%p] $0->%0
$1->%1 $2->%2 $3->%3"
trap ciscoMgmt.43.2 6 1 1 "%n for Agent %i proxy [%p] $0->%0
$1->%1 $2->%2 $3->%3"
trap cisco 6 1 3 "%n (%N) for agent %i from proxy [%p] :
%0 %1 $2/%2 ByteIn/%3 ByteOut/%4 $5/%5"
trap loriotidsprobe 6 1 3 "%n (%N) for agent %i from proxy [%p]
: %0 %1 $2/%2 ByteIn/%3 ByteOut/%4 $5/%5"
trap ciscoSyslogMIBNotificationPrefix 6 1 3 "%n (%N) for agent
%i from proxy [%p] %0 %1 %2 %3 %4 %5"
trap ciscoConfigManMIBNotificationPrefix 6 1 3 "%n (%N) for agent
%i from proxy [%p] %0 %1 %2 %3 %4 %5"
trap LinkDown 2 0 6 "%r for %n from %i Interface %1 at %t
Description %1 Type %2 Status %3" 10002
#action 10.33.10.121 255.255.255.255 public wave "wave/ding.wav"
#action 10.33.10.121 255.255.255.255 * winrun "telnet %i"
action 0.0.0.0 0.0.0.0 * wave "wave/linedown.wav"
trap LinkUp 3 0 4 "%r for %n from %i Interface %1 at %t Description
%1 Type %2 Status %3" 10001
action 0.0.0.0 0.0.0.0 * wave "wave/lineup.wav"
trap Authentication 4 0 3 "%r for %n from %i from proxy [%p] Request
from station [%0]" 10005
#action 10.33.10.121 255.255.255.255 public trap "10.33.10.129"
#action 10.33.10.121 255.255.255.255 public wave "wave/ding.wav"
#action 0.0.0.0 0.0.0.0 * syslog "10.33.10.126 %r for %n from %i
from proxy [%p] Request from station [%0]"
#########################################################################
#event configuration see events.h and events.txt file
#########################################################################
#define EVENT_NEWHOST
1
#define EVENT_NEWNETWORK 2
#define EVENT_HOSTGOUP
100
#define EVENT_HOSTGODOWN 101
#define EVENT_HOSTGOPOLLED 102
#define EVENT_HOSTGONOPOLLED 103
#define EVENT_HTTPDGOUP
200
#define EVENT_HTTPDGODOWN 201
#define EVENT_POLLINGGOUP 202
#define EVENT_POLLINGGODOWN
203
#define EVENT_POLLINGPINGGOUP
204
#define EVENT_POLLINGPINGGODOWN 205
#define EVENT_POLLINGSNMPGOUP
206
#define EVENT_POLLINGSNMPGODOWN 207
#define EVENT_PLUGINLOADERROR 208
#define EVENT_LORIOTGOUP 210
#define EVENT_LORIOTGODOWN 211
#define EVENT_V3AUTHERROR 212
#define EVENT_V3REPLAY
213
#define EVENT_V3ERROR
214
#define EVENT_TRAP
300
#########################################################################
event 200 0.0.0.0 0.0.0.0 2 wave "wave/warninghttpdgoup.wav"
event 201 0.0.0.0 0.0.0.0 2 wave "wave/warninghttpdgodown.wav"
#event 101 0.0.0.0 0.0.0.0 1 wave "wave/hostgodown.wav"
#event 101 10.0.0.0 255.0.0.0 1 wave "wave/hostgodown.wav"
#event 101 10.33.10.121 255.255.255.255 4 custom 1
#event 100 0.0.0.0 0.0.0.0 1 wave "wave/%igoup.wav"
#event 100 20.0.0.0 255.0.0.0 1 wave "wave/ding.wav"
#event 100 30.0.0.0 255.0.0.0 1 wave "wave/ding.wav"
event 210 0.0.0.0 0.0.0.0 4 wave "wave/loriotgoup.wav"
event 211 0.0.0.0 0.0.0.0 4 wave "wave/loriotgodown.wav"
#event 2 0.0.0.0 0.0.0.0 2 wave "wave/newnetwork.wav"
#event 1 10.33.10.121 255.255.255.255 1 wave "wave/ding.wav"
#event 214 10.33.10.121 255.255.255.255 1 wave "ding.wav"
#event 214 0.0.0.0 0.0.0.0 1 null "empty"
#event 300 0.0.0.0 0.0.0.0 1 syslog "10.33.10.129 %m"
#event 300 0.0.0.0 0.0.0.0 1 smtp "unknow@domain.com %m"
#event 10005 0.0.0.0 0.0.0.0 1 smtp "unknow@domain.com Authentication
fail %i %r %R %m"
www.loriotpro.com |
Copyright © 2004 LUTEUS SARL. All rights reserved.
This documentation is copyrighted by LUTEUS SARL. No part of this publication
may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, electronic, mechanical, photocopying or otherwise,
without the prior express written permission of LUTEUS SARL |