jamesroman
2013-01-18 16:47:56 UTC
jamesroman [http://community.zenoss.org/people/jamesroman] created the discussion
"Correlating multiple events into one based on event "
To view the discussion, visit: http://community.zenoss.org/message/71089#71089
--------------------------------------------------------------
I am tracking some traffic through our firewall. It is sending specific connections to Zenoss, however, it is generating a new event for each occurrence. I would like to correllate events where the source and destination are the same and simply increment the hit count, but can't figure out how to write the regex or transform for the event. Below is an example of the event:
access-list ACL_IN permitted tcp Interface1/111.111.111.111(33333) -> Interface2/222.222.222.222(44444) hit-cnt 1 first hit http://community.zenoss.org/message/71089#71089#71089/0xc2eb7bf2, 0xf40bda83 Correlating multiple events into one based on event
where
111.111.111.111 is the Source IP
33333 in the Source Port
222.222.222.222 is the Destination IP
44444 is the Destination Port
I would like Zenoss to recognize all events with the same Source IP, Destination IP and Destination Port as a recurring event. Currently I am only monitoring traffic on one destination port, so that could be a static value in the regular expression with multiple event mappings, but extra points will be awarded if I could use one event mapping for any destination port.
I think that if I wanted to simply group all instances into one event, I would use a regex something like:
access-list ACL_IN permitted tcp Interface1\/\d{1,3},\d{1,3},\d{1,3},\d{1,3}\(\d{1,5}\) -> Interface2\/\d{1,3},\d{1,3},\d{1,3},\d{1,3}\(\d{1,5}\)
what I want to do is configure some sort of variable that can be compared to existing events
access-list ACL_IN permitted tcp Interface1\/$variable_1\(\d{1,5}\) -> Interface2\/$variable_2\($variable_3)
Does anyone have any advice how to correlate these events?
TIA
--------------------------------------------------------------
Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71089#71089]
Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
"Correlating multiple events into one based on event "
To view the discussion, visit: http://community.zenoss.org/message/71089#71089
--------------------------------------------------------------
I am tracking some traffic through our firewall. It is sending specific connections to Zenoss, however, it is generating a new event for each occurrence. I would like to correllate events where the source and destination are the same and simply increment the hit count, but can't figure out how to write the regex or transform for the event. Below is an example of the event:
access-list ACL_IN permitted tcp Interface1/111.111.111.111(33333) -> Interface2/222.222.222.222(44444) hit-cnt 1 first hit http://community.zenoss.org/message/71089#71089#71089/0xc2eb7bf2, 0xf40bda83 Correlating multiple events into one based on event
where
111.111.111.111 is the Source IP
33333 in the Source Port
222.222.222.222 is the Destination IP
44444 is the Destination Port
I would like Zenoss to recognize all events with the same Source IP, Destination IP and Destination Port as a recurring event. Currently I am only monitoring traffic on one destination port, so that could be a static value in the regular expression with multiple event mappings, but extra points will be awarded if I could use one event mapping for any destination port.
I think that if I wanted to simply group all instances into one event, I would use a regex something like:
access-list ACL_IN permitted tcp Interface1\/\d{1,3},\d{1,3},\d{1,3},\d{1,3}\(\d{1,5}\) -> Interface2\/\d{1,3},\d{1,3},\d{1,3},\d{1,3}\(\d{1,5}\)
what I want to do is configure some sort of variable that can be compared to existing events
access-list ACL_IN permitted tcp Interface1\/$variable_1\(\d{1,5}\) -> Interface2\/$variable_2\($variable_3)
Does anyone have any advice how to correlate these events?
TIA
--------------------------------------------------------------
Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/71089#71089]
Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]