Yuri (I hope you forgive me, but I can not remember your last name) provided some sample rules that he had written to handle event storms. Basicaly, if 10 events from the same host are recieved in a 30 second window then drop them after generating a new event. indicating a storm. To me this is not realy a storm, but more like a surge. This is an interesting problem with a solution that is not readily apparaent. The groups presented several possible solutions and I will admit the solution my group came up with was less than optimal ;-) After a little thought I came up with a working SCE implementation, too bad it was not in the class. ;-)A close approximation to the Prolog rules can be achieved with two SCE rules.
<rule id="surge.threshold" type="normal" directAccess="true"><threshold timeInterval="30000" thresholdCount="10"><cloneable attributeSet="hostname" /><action function="TECSummary" singleInstance="false"><parameters> <![CDATA[SET:msg=EVENT SURGE FROM HOST ]]> </parameters></action></threshold></rule><rule id="surge.reset" type="normal" directAccess="true"><resetOnMatch timeInterval="30000" tiggerMode="allEvents" randomOrder="false"><cloneable attributeSet="hostname" /><predicate>true</predicate><predicate> <![CDATA[ &hostname == &hostname@-1 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-2 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-3 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-4 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-5 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-6 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-7 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-8 ]]> </predicate><predicate> <![CDATA[ &hostname == &hostname@-9 ]]> </predicate></resetOnMatch></rule>
No comments:
Post a Comment