Administrator Handbook Table of contents version française

Event filters creation


Introduction

Event filters are used to trigger action when an event is received by LoriotPro. For each Event, multiple filters can be defined and thus multiple actions can be generated.

Action can be used to send an E-mail, play a sound , start a program, send to correlator, convert in speech...

To create a filter you have the choice between three methods:

1.      Invoke the wizard from a received Event. This is the easiest method because the filter will be created automatically and you will only have to choose the action.

2.      Invoke the wizard from the filter tree. This method need to know the Event number that you want to filter.

3.      Open the Filter file and edit the file. This method is recommended if you want to create a lot of filter that are similar.

A filter for an Event is define by a line in the trapfilter.txt without Crand starting with the keyword  event.  An Event filter could contain six to seven parameters.

Example : event 210 0.0.0.0 0.0.0.0 4 wave "wave/loriotgoup.wav"


Invoking Wizard from a received Event

Like in the Trap window, the Global Event window has a contextual menu with the option Event Filter Wizard.



This option is used to create a Filter from a received Event. If you do not have a chance to receive and Event and you want to create Filter you cannot use this option and you must use the Filter Tree.

Select an Event from the Global Event Window and right click to call the contextual menu.

>Event Filter Wizard…

invoke wizard filter

The creation of a new action for this Event is proposed. The current event parameter will be used to define the action.

The filter creation window is displayed with the current action parameters.


Event filter window(Wizard)

The IP address field allows you to filter the source IP address

The mask allows you to extend the filter to a network instead of a single IP host.

The Strings allow you to make filter based on character strings contained in the message itself.

The List box Action Wizard allows you to select an action type among the list. The Action parameter allows you to define the additional parameters that will be used by the program.

Action - Play sound

Select a wave file. You should have a wav file player installed.

Action - Start Windows Program and Start DOS program

Select a program.

Action – Send Syslog message :

Enter the IP address of the Syslog server.

 

Action Forward to Custom window

A window is displayed asking you to select in which Custom window you want to display the action.


Event Custom Selection (Wizard)

Custom Windows are available under the three Tab of the Global Event Window.

Custom 1 Custom 2 Custom 3

Action - Forward to another LoriotPro

Enter the address of the LoriotPro server to which you want to forward the event.

Action Send E-mail

Enter the Email address of the receiver.

Warning: The SMTP Scheduler service should be installed for this option to work.

Once you have set the action you can define the parameter string attached to this action.

For example, if you send an E-mail you can provide the Message by specifying the %m value as in the following screenshot.

Finally you can adjust the behavior of the filter by setting thdeshold.

Match All

All the times the Filter will match the action will be triggered

Match only First

Given a Trap Filter Counter initially at 0, only the first time the filter will match the action will be triggered.

Match only X

Given a Trap Filter Counter initially at 0, only the first X filter matches will triggered the action.

Match after X

Given a Trap Filter Counter initially at 0,  after X filter matches, each new Filter match will trigger an action. 

Match if supposed burst for time interval <=

Evaluate the number of Filter matched during a specific time interval and trigger the action if the value is superior to the threshold

Match Every X

Trigger the action each X filter match


Invoking Wizard from the Filter Tree

We have seen that the Event Filter Wizard allows you to create filters in a simple way. The Wizard could also be called directly from the Filter tree  by selecting an Event in the tree and right clicking. Select th

>New Event Filter…

This time, an empty creation window is displayed.

Form there you can either choose an existing Event in the List or register a new Event by calling the Wizard.

The Wizard button calls the advanced window that help you to create the character string that will be used in the command line.

Warning: The creation window adds the new created filter at the end of the bottom of the tree and the trapfilter.txt is automatically saved when you leave it. If you want to re-order the filter you should manually edit the trapfilter.txt file, save it after modification and do a refresh of the window from the menu  Configure>Traps/Events Filter .


Event filters syntax

The following table displays the syntax to use in Event filter.

Table of Event filters syntax

Parameters

Examples

Definitions

event

Event

The keyword event starts each new line defining a filter and is uses by the compiler.

number

210

The reference number of the event

The list is defined in the events.txt file.

IP

0.0.0.0

The two following parameters are used to trigger an action if the source address of the packet match the filter.

The rule below is applied :

IF IP_SOURCE_RECEIVED AND  IP_MASK = IP THEN action

Example :

With IP received = 10.33.10.121

If rule with IP = 0.0.0.0 IP_MASK =0.0.0.0 then all IP addresses trigger the action)

If rule with IP=10.33.0.0 IP_MASK=255.255.0.0 then the action is triggered because  10.33.10.121 pertains to network 10.33.0.0

If rule with IP=20.0.0.0 IP_MASK=255.0.0.0 then no action is triggered because 10.33.10.121 does not pertain to network 20.0.0.0)

To select a unique address

example : 192.168.10.1 code the action below

Action 192.168.10.1 255.255.255.255

The level of severity assign to this event

4

Value from 0 to 10 are use to assign a level of severity to the Trap. The level allow a display of Trap in different colors in the Global Event window.

Action type

Play sound

The type of action to trigger if all the IP address condition is satisfied.

See next table.

command

"wave/linedown.wav"

A character string, quote delimited, containing the parameter use in the command line.

See next table.

       

Variables of Event

Variables

Value assigned

%r %R

Event number

%i %I

IP address of the sending agent

%T

Local Time stamp

%l

Severity level

%m

The message generated by the Event

Action list

Actions

Commande

Play a sound :

The string of command line parameters should contain the full path to a wave file. The string could contain variables.

Example:
Wave "wave/chord.wav"

Start a Windows type program :

The string of command line parameters should contain the full path to an Window executable file.  The string could contain variables

Example:
telnet "telnet %i"

Start a DOS type program :

The string of command line parameters should contain the full path to an Window executable file.  The string could contain variables identical to the Trap filter string

Example:
Dosrun "telnet %i"

Send a Syslog message :

The string of command line parameters contains the IP address of the Syslog server and others variables.

Example:
syslog "10.33.10.126 %r for %n from %i from proxy [%p] Request from station [%0]"

Create a Mail message in the Mail spooler

The string of command line parameters should contain The E-mail address and other variables.

Example :
smtp "unknow@domain.com  Authentication fail %i %m "

Display the Trap in the custom window 1 to 3 and their varaibles.

Example:
Custom  "1 %n for Agent %i proxy [%p] $0->%0 $1->%1 $2->%2 $3->%3"

Route the event to another LoriotPro server. The command line contain the IP address destination and the UDP port use on the remote LoriotPro for Event receiving.

Example:
Route “10.33.10.126 5001”

Nul

Do nothing

Remark: You could define several filters for the same Event type with different associated actions and different address filters.

Example

event 101 0.0.0.0 0.0.0.0 1 wave "wave/%igodown.wav"
event 101 10.33.10.121 255.255.255.255 4 custom 1
event 101 0.0.0.0 0.0.0.0 2 custom 2
event 10002 0.0.0.0 0.0.0.0 4 custom 2
event 101 10.0.0.0 255.0.0.0 1 wave "wave/hostgodown.wav"
event 101 0.0.0.0 0.0.0.0 1 smtp "ludo4@test.com %i form %I host go down"
event 100 0.0.0.0 0.0.0.0 1 wave "wave/%igoup.wav"
event 100 0.0.0.0 0.0.0.0 1 winrun "telnet %i"
event 100 20.0.0.0 0.0.0.0 1 wave "wave/chord.wav"
event 100 30.0.0.0 0.0.0.0 1 wave "wave/chord.wav"
event 101 00.0.0.0 0.0.0.0 1 route "10.33.10.122 5001"
event 210 0.0.0.0 0.0.0.0 4 wave "wave/loriotgoup.wav"
event 211 0.0.0.0 0.0.0.0 4 wave "wave/loriotgodown.wav"
event 214 10.33.10.121 255.255.255.255 1 wave "ding.wav"
event 214 0.0.0.0 0.0.0.0 1 null "empty"
event 1 10.33.10.121 255.255.255.255 1 wave "wave/ding.wav"
event 100005 0.0.0.0 0.0.0.0 4 dosrun "toto.bat '%m'"


Refresh Traps Filters Menu


Event Filter file

The Event Filters arer defined in the same file as the Trap filters.

The trapfilter.txt is located in the /bin directory. It contains few trap and event filters that could help you as examples to create and customize you management server.

Trapfilter.txt file

# trapfilter.txt file used by LoriotPro (c) 1999-2002, all rights Reserved Ludovic Lecointe
#
# This file was loaded at the start of LoriotPro
#  It is possible to refresh the trap filter in the event docking window with the context menu
#  or when you go to the mib compiler module
#
# For the smtp action install and configure the SmtpEventScheduler.sp service plugin
#####################################################################################
#
# Available parameters and syntax for trap string
#------------------------------------------------
#
# %r reference
# %i agent ip address
# %p proxy ip address
# %t timestamp gived by agent in trap packet
# %T timestamp local
# %0 to %9 buffer parameters of the trap if exist
# $0 to $9 name parameters of the trap if exist
# %n ObjId of the trap
# %N name of the trap if exist
# %l level of the trap
#
# 7 colonnes define the trap
#
# 1 trap
# 2 ObjID for trap generic 6
# 3 trap generic number 1 a 6 (1-5) reserved 6 interprise: put 6 for notification V2c or V3
# 4 trap specific number x for interprise trap: put 0 for notification V2c or V3
# 5 trap level for syslog or action in event manager
# 6 "string with variables"
# 7 event level (300 by default or sup to 10000 for custom.
#                            if 0 the event was not generated but the only the actions
#
# Available parameters and syntax for action string (a same then for trap)
#------------------------------------------------
#
# 6 colonnes define trap action
#
# 1 action                             keyword
# 2 ip add
# 3 ip mask
# 4 community (* = any)
# 5 action (wave winrun dosrun syslog)
#                                          wave "wave/linedown.wav"
#                                          winrun "telnet %i"
#                                          dosrun "dir *.*"
#                                          syslog "10.33.10.126 string with variable"       
#                       trap "10.33.10.129"  (reroute the trap to 10.33.10.129)                     
#                       smtp "name@domain.com string with variable"
# 6 "string with variable running"
#
#
#
# Available parameters and syntax for event string
#------------------------------------------------
#
# %i %I agent ip address
# %m message of the event (the '<x>' information at the start of the message is replaced
#                          by ' x ' if you use the dosrun or winrun action.
# %r %R ref of the event (number)
# %T timestamp local
# %l level for this action
#
# 7 colonnes define event action
#
# 1 event                              keyword
# 2 number      (reference of the event see events.txt file)
# 3 ip add
# 4 ip mask
# 5 level       (number) assign one level for this event and this ip/mask selection
# 6 action (wave winrun dosrun syslog custom null)
#                                          wave "soubd/ding.wav"
#                                          winrun "telnet %i"
#                                          dosrun "dir *.*"
#                                          syslog "10.33.10.126 string with variable"       
#                       smtp "name@domain.com string with variable) 
#                       custom 1 (1 2 or 3 to display the alert in custom alert list box)
#                       null null
# 7 "string with variable running"
################################################################################
#########################################################################
#trap /action configuration
#########################################################################
#V2c or V3 notification sample
trap  enterprises.9.9.43.2.0.1 6 0 1 "%n for Agent %i proxy [%p] $0->%0 $1->%1 $2->%2 $3->%3"
 action 10.33.10.121 255.255.255.255 * wave "wave/chord.wav"
trap  ciscoMgmt.41.2 6 1 1 "%n for Agent %i proxy [%p] $0->%0 $1->%1 $2->%2 $3->%3"
trap  ciscoMgmt.43.2 6 1 1 "%n for Agent %i proxy [%p] $0->%0 $1->%1 $2->%2 $3->%3"
trap  cisco 6 1 3 "%n (%N) for agent %i from proxy [%p]  : %0 %1 $2/%2 ByteIn/%3 ByteOut/%4 $5/%5"
trap  loriotidsprobe 6 1 3 "%n (%N) for agent %i from proxy [%p]  : %0 %1 $2/%2 ByteIn/%3 ByteOut/%4 $5/%5"
trap  ciscoSyslogMIBNotificationPrefix 6 1 3 "%n (%N) for agent %i from proxy [%p] %0 %1 %2 %3 %4 %5"
trap  ciscoConfigManMIBNotificationPrefix 6 1 3 "%n (%N) for agent %i from proxy [%p] %0 %1 %2 %3 %4 %5"
trap  LinkDown 2 0 6 "%r for %n from %i  Interface %1 at %t Description %1 Type %2 Status %3" 10002
#action 10.33.10.121 255.255.255.255 public wave "wave/ding.wav"
#action 10.33.10.121 255.255.255.255  * winrun "telnet %i"
action 0.0.0.0 0.0.0.0  *  wave "wave/linedown.wav"
trap  LinkUp 3 0 4 "%r for %n from %i  Interface %1 at %t Description %1 Type %2 Status %3" 10001
 action 0.0.0.0 0.0.0.0  *  wave "wave/lineup.wav"
trap  Authentication 4 0 3 "%r for %n from %i from proxy [%p] Request from station [%0]" 10005
#action 10.33.10.121 255.255.255.255 public trap "10.33.10.129"
#action 10.33.10.121 255.255.255.255 public wave "wave/ding.wav"
#action 0.0.0.0 0.0.0.0  * syslog "10.33.10.126 %r for %n from %i from proxy [%p] Request from station [%0]"
#########################################################################
#event configuration see events.h and events.txt file
#########################################################################
#define EVENT_NEWHOST                            1
#define EVENT_NEWNETWORK    2
#define EVENT_HOSTGOUP                          100
#define EVENT_HOSTGODOWN    101
#define EVENT_HOSTGOPOLLED  102
#define EVENT_HOSTGONOPOLLED 103
#define EVENT_HTTPDGOUP                        200
#define EVENT_HTTPDGODOWN  201
#define EVENT_POLLINGGOUP      202
#define EVENT_POLLINGGODOWN              203
#define EVENT_POLLINGPINGGOUP            204
#define EVENT_POLLINGPINGGODOWN     205
#define EVENT_POLLINGSNMPGOUP           206
#define EVENT_POLLINGSNMPGODOWN    207
#define EVENT_PLUGINLOADERROR 208
#define EVENT_LORIOTGOUP        210
#define EVENT_LORIOTGODOWN 211
#define EVENT_V3AUTHERROR     212
#define EVENT_V3REPLAY                             213
#define EVENT_V3ERROR                             214
                                           
#define EVENT_TRAP                                     300
#########################################################################
event 200 0.0.0.0 0.0.0.0 2 wave "wave/warninghttpdgoup.wav"
event 201 0.0.0.0 0.0.0.0 2 wave "wave/warninghttpdgodown.wav"
#event 101 0.0.0.0 0.0.0.0 1 wave "wave/hostgodown.wav"
#event 101 10.0.0.0 255.0.0.0 1 wave "wave/hostgodown.wav"
#event 101 10.33.10.121 255.255.255.255 4 custom 1
#event 100 0.0.0.0 0.0.0.0 1 wave "wave/%igoup.wav"
#event 100 20.0.0.0 255.0.0.0 1 wave "wave/ding.wav"
#event 100 30.0.0.0 255.0.0.0 1 wave "wave/ding.wav"
event 210 0.0.0.0 0.0.0.0 4 wave "wave/loriotgoup.wav"
event 211 0.0.0.0 0.0.0.0 4 wave "wave/loriotgodown.wav"
#event 2 0.0.0.0 0.0.0.0 2 wave "wave/newnetwork.wav"
#event 1 10.33.10.121 255.255.255.255 1 wave "wave/ding.wav"
#event 214 10.33.10.121 255.255.255.255 1 wave "ding.wav"
#event 214 0.0.0.0 0.0.0.0 1 null "empty"
#event 300 0.0.0.0 0.0.0.0 1 syslog "10.33.10.129 %m"
#event 300 0.0.0.0 0.0.0.0 1 smtp "unknow@domain.com %m"
#event 10005 0.0.0.0 0.0.0.0 1 smtp "unknow@domain.com  Authentication fail %i %r %R %m"


www.loriotpro.com