Variables in PatternDB - what am I doing wrong?
Hi, I've got the following as part of my ruleset: <!-- Match and suppress %TCP-6-BADAUTH messages --> <rule id='def42cfb-4364-4cfd-bbf1-cdf4f0bc3c88' class='lowpri' context-id="badauth-${badauth.errorsrc}" context-timeout='600' context-scope='host'> <patterns> <pattern>%TCP-6-BADAUTH: No MD5 digest from @IPvANY:badauth.errorsrc:@(@NUMBER::@) to @IPvANY:badauth.errordst:@(@NUMBER::@) (RST)</pattern> </patterns> <examples> <example> <test_message program='patternize'>%TCP-6-BADAUTH: No MD5 digest from 195.66.XXX.XX(179) to 195.66.YYYY.YY(56561) (RST)</test_message> </example> <example> <test_message program='patternize'>%TCP-6-BADAUTH: No MD5 digest from 2001:7F8:X::abcd:1(179) to 2001:7F8:X::1234:1(21296) (RST)</test_message> </example> </examples> <actions> <action trigger='match'> <message> <values> <value name='MESSAGE'>$(if ("${badauth.errorsrc}@1" eq "${badauth.errorsrc}@2") "Duplicate" "First") BGP Authentication Error to neighbour ${badauth.errorsrc}@1 - last one was ${badauth.errorsrc}@2</value> </values> </message> </action> </actions> </rule> <!-- End %TCP-6-BADAUTH --> When I feed example messages in from a file, I expect to see something like the following: Nov 4 10:40:54 syslog First BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was 2001:7F8:X::abcd:1 Nov 4 10:40:54 syslog First BGP Authentication Error to neighbour 195.66.Y.Z - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Instead I see: Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was 2001:7F8:4::abcd:1 Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z What am I getting wrong with the "if" function? The background to this is that the first of these messages from any host is useful information - however they are sent every 10 seconds and I'm trying to suppress all but the first message for each neighbour. I've tried several different ways of doing this including rate-limiting on the <action> but none of them have worked the way I expected. Thanks, Dan Daniel Ankers
On Fri, 2011-11-04 at 10:49 +0000, Daniel Ankers wrote:
Hi, I've got the following as part of my ruleset:
<!-- Match and suppress %TCP-6-BADAUTH messages --> <rule id='def42cfb-4364-4cfd-bbf1-cdf4f0bc3c88' class='lowpri' context-id="badauth-${badauth.errorsrc}" context-timeout='600' context-scope='host'> <patterns> <pattern>%TCP-6-BADAUTH: No MD5 digest from @IPvANY:badauth.errorsrc:@(@NUMBER::@) to @IPvANY:badauth.errordst:@(@NUMBER::@) (RST)</pattern> </patterns> <examples> <example> <test_message program='patternize'>%TCP-6-BADAUTH: No MD5 digest from 195.66.XXX.XX(179) to 195.66.YYYY.YY(56561) (RST)</test_message> </example> <example> <test_message program='patternize'>%TCP-6-BADAUTH: No MD5 digest from 2001:7F8:X::abcd:1(179) to 2001:7F8:X::1234:1(21296) (RST)</test_message> </example> </examples> <actions> <action trigger='match'> <message> <values> <value name='MESSAGE'>$(if ("${badauth.errorsrc}@1" eq "${badauth.errorsrc}@2") "Duplicate" "First") BGP Authentication Error to neighbour ${badauth.errorsrc}@1 - last one was ${badauth.errorsrc}@2</value> </values> </message> </action> </actions> </rule> <!-- End %TCP-6-BADAUTH -->
When I feed example messages in from a file, I expect to see something like the following: Nov 4 10:40:54 syslog First BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was 2001:7F8:X::abcd:1 Nov 4 10:40:54 syslog First BGP Authentication Error to neighbour 195.66.Y.Z - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z
Instead I see: Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was 2001:7F8:4::abcd:1 Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z
What am I getting wrong with the "if" function?
The background to this is that the first of these messages from any host is useful information - however they are sent every 10 seconds and I'm trying to suppress all but the first message for each neighbour. I've tried several different ways of doing this including rate-limiting on the <action> but none of them have worked the way I expected.
Hmm... you understand it right, and it should work exactly as you wrote, however as implemented filter expressions don't support correllation contexts. I've pushed a branch to github to fix this issue to the msg-contexts-in-filters branch. I still need some thinking time, but you could give it a try. Feedback is appreciated. And thanks for finding this problem. -- Bazsi
On Wed, 2011-11-09 at 22:34 +0100, Balazs Scheidler wrote:
On Fri, 2011-11-04 at 10:49 +0000, Daniel Ankers wrote:
Hi, I've got the following as part of my ruleset:
<!-- Match and suppress %TCP-6-BADAUTH messages --> <rule id='def42cfb-4364-4cfd-bbf1-cdf4f0bc3c88' class='lowpri' context-id="badauth-${badauth.errorsrc}" context-timeout='600' context-scope='host'> <patterns> <pattern>%TCP-6-BADAUTH: No MD5 digest from @IPvANY:badauth.errorsrc:@(@NUMBER::@) to @IPvANY:badauth.errordst:@(@NUMBER::@) (RST)</pattern> </patterns> <examples> <example> <test_message program='patternize'>%TCP-6-BADAUTH: No MD5 digest from 195.66.XXX.XX(179) to 195.66.YYYY.YY(56561) (RST)</test_message> </example> <example> <test_message program='patternize'>%TCP-6-BADAUTH: No MD5 digest from 2001:7F8:X::abcd:1(179) to 2001:7F8:X::1234:1(21296) (RST)</test_message> </example> </examples> <actions> <action trigger='match'> <message> <values> <value name='MESSAGE'>$(if ("${badauth.errorsrc}@1" eq "${badauth.errorsrc}@2") "Duplicate" "First") BGP Authentication Error to neighbour ${badauth.errorsrc}@1 - last one was ${badauth.errorsrc}@2</value> </values> </message> </action> </actions> </rule> <!-- End %TCP-6-BADAUTH -->
When I feed example messages in from a file, I expect to see something like the following: Nov 4 10:40:54 syslog First BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was 2001:7F8:X::abcd:1 Nov 4 10:40:54 syslog First BGP Authentication Error to neighbour 195.66.Y.Z - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z
Instead I see: Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 2001:7F8:X::abcd:1 - last one was 2001:7F8:4::abcd:1 Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour 195.66.Y.Z - last one was 195.66.Y.Z
What am I getting wrong with the "if" function?
The background to this is that the first of these messages from any host is useful information - however they are sent every 10 seconds and I'm trying to suppress all but the first message for each neighbour. I've tried several different ways of doing this including rate-limiting on the <action> but none of them have worked the way I expected.
Hmm... you understand it right, and it should work exactly as you wrote, however as implemented filter expressions don't support correllation contexts.
I've pushed a branch to github to fix this issue to the msg-contexts-in-filters branch.
I still need some thinking time, but you could give it a try.
Feedback is appreciated. And thanks for finding this problem.
Any feedback on this? Thanks. -- Bazsi
participants (2)
-
Balazs Scheidler
-
Daniel Ankers