DX NetOps

Hi All,

Anyone can help me for the below request.

I am using spectrum 10.3 . in this we have configured the attack alarm for one device. the alarm is created but the clearing event is not working. 

alarm trigger event :

A "bigipDosAttackStart" event has occurred, from X device, named X.

A DOS attack start was detected.

bigipNotifyObjMsg = A NETWORK /Common/X DOS attack start was detected for vector Sweep attack, Attack ID 2004692455.

in this the attack id is unique .... the same attack id in clear event also.

Alarm clear event:

A "bigipDosAttackStop" event has occurred, from x, named x.

A DOS attack stop was detected.

bigipNotifyObjMsg = A NETWORK /Common/x DOS attack has stopped for vector Sweep attack, Attack ID 2004692455.

in this the start and stop events are not same .

in start event variable  - start was detected

and stop event variable -  attack has stopped

this is the only difference.

here i am attached the clear event configuration.

Thanks,

john.

You'll need to use an event procedure ( Parse a Single Varbind into Multiple Event Variables - CA Spectrum - 10.3 - CA Technologies Documentation  ) to parse the "Attack ID" variable out of the bigipNotifyObjMsg string and use that for the event variable discriminator, if there is no other varbind that presents the Attack ID all by itself.  Spectrum is comparing the two values for bigipNotifyObjMsg and while "the only difference is 'start was detected' and 'attack has stopped', " it's enough to make Spectrum correctly say that the two strings are different.

Hi Robert,

Thanks for your reply ...

and i am not familiar in this(create event procedure) .. can you help me, how to clear this attack alert..

as i have mentioned above ,there is two events one is for alert triggered and another is for clear.. 

for alert triggered event code is 0xfff00037

A "bigipDosAttackStart" event has occurred, from X device, named X. A DOS attack start was detected. bigipNotifyObjMsg = A NETWORK /Common/X DOS attack start was detected for vector Sweep attack, Attack ID 4277782360.

for clear 0xfff00038 :

A "bigipDosAttackStop" event has occurred, from X device, named X. A DOS attack stop was detected. bigipNotifyObjMsg = A NETWORK /Common/X DOS attack has stopped for vector Sweep attack, Attack ID 4277782360.

but when i'm using this 0xfff0038 for clear 0xfff00037 is not working (means it's not clear the alert)

Thanks,

john

Unfortunately, you have to edit EventDisp files directly in order to use event procedures.  This is what I have in $SPECROOT/custom/Events/EventDisp:

0x03b700af E 20 P "CreateEventWithVariables(\
                {C CURRENT_MODEL},\
                {H 0xfff00037},\
                SetEventVariable(\
                    GetEventVariableList(),\
                    {U 2},\
                    GetRegexp(GetEventVariable({U 1}), {S \".* Attack ID (.*)\"}, {U 1})))"
0x03b700b0 E 20 P "CreateEventWithVariables(\
                {C CURRENT_MODEL},\
                {H 0xfff00038},\
                SetEventVariable(\
                GetEventVariableList(),\
                {U 2},\
                GetRegexp(GetEventVariable({U 1}), {S \".* Attack ID (.*)\"}, {U 1})))"
0xfff00037 E 20 A 2,0x03b700af,2
0xfff00038 E 20 C 0x03b700af,2

If you copy/paste above, you have to make sure that there are NO spaces after the backslash characters at the end of the line.  I use a text editor that shows these for me when I edit these files:

You can also just enter each event procedure on a single line and get rid of the backspace/end of line bits. 

As far as what the procedures do, the first one is executed when 0x03b700af (the out of the box trap mapping for bigipDosAttackStart) is received.  That procedure says to generate event 0xfff00037 with all the existing event varbinds (only 1  - bigipNotifyObjMsg) and a new one (variable 2) that is made of up whatever is after Attack ID in variable 1.  When 0xfff00037 is generated, a new alarm with the out of the box probable cause 0x3b700af is generated but we have a event variable discriminator of variable 2 (our extracted value for Attack ID):

I also modified the event message just so I can show the Attack ID separately but that's not required.

When we receive the clear event ( of of the box is 0x03b700b0), we do a similar extraction of Attack ID via regular expression match and generate 0xfff00038 with the existing variable 1 and our new variable 2.

The 0xfff00038 is very simple and almost like what you had in your screenshot except the event variable discriminator is 2 (our extracted Attack ID) instead of the full bigipNotifyObjMsg:

With that all in place, everything works as expected:

If you've never edited EventDisp files by hand before, you need remember to update the event configuration on the VNM model after you've finished:

Hope that helps.

-Rob

Rob,

A great Event Proc real life example that should be a help to anyone needing to get their head around this strange functional language where *everything* is a function call and there are no statements unlike normal programming. Although you got a bit tired getting the indentation right for the 2nd event I saw! The ones in the Event Configuration manual are not very realistic and only snippets I recall, not a completely worked case like this one. Glad you could make the time to do it!

By the way, there used to be a bug whereby if you opened an event that has an EvProc via the Console's Event Editor, and save it - it corrupted your event procedure text - even if you'd only changed something else about it - like checking or un-checking event logging in the Event Options. Does it still do that?

Anyway, top marks!

Cheers

Dan

I'm glad you found it useful.  The lack of intent had to do with me not paying attention during the copy/paste due to multitasking.  I might go back and edit just to "make it pretty" but it is worth pointing out for those new or unfamiliar with event procedures that unlike languages like Python, the white space and newlines aren't required.  The backslashes at the end of the lines are really to "escape" out the newline characters so the SpectroSERVER just interprets it as one line of code with a bunch of spaces in it that it will ignore.

Yes, the "bug" is there but while it drastically alters the event procedure formatting, it doesn't corrupt the procedure's function.  It would be great if ECE left things like comments and formatting in place but the way I think of it, I treat the EventDisp files on a running server as "compiled" code.  What that means is I'll have all my comments and "pretty" formatting in a separate text file for reference and editing but when I put procedures in place, I'll make the procedure fit on one, usually very long, line and copy/paste it.  So, from this example:

0x03b700af P "CreateEventWithVariables({C CURRENT_MODEL},{H 0xfff00037},SetEventVariable(GetEventVariableList(), {U 2}, GetRegexp(GetEventVariable({U 1}), {S \".* Attack ID (.*)\"}, {U 1})))"
0x03b700b0 P "CreateEventWithVariables({C CURRENT_MODEL},{H 0xfff00038},SetEventVariable(GetEventVariableList(),{U 2},GetRegexp(GetEventVariable({U 1}), {S \".* Attack ID (.*)\"}, {U 1})))"
0xfff00037 E 20 A 2,0x3b700af,2
0xfff00038 E 20 C 0x3b700af,2

It might not be clear due to formatting limitations here but there should only be a total of 4 lines above.  I also tend to remove event logging on procedures (note the "E 20" missing above on the first two lines) once I know they're working to reduce the volume of events going into Archive Manager and Report Manager.  The fact that I used a procedure to get to the end result doesn't have much value to a NOC user trying to understand the flow of events on a device.

-Rob

Hi Rob,

Yep it was a great post by you.

Re the "bug". I didn't mean it *just* removed white space from the EventProc text. From Console ECE,  if you saved an event definition that just happened to have an EventProc in it, even if **you didn't even visit the event rules tab**, but made some other minor change, it truncated the EventProc's text in the EventDisp file so that it had virtually nothing after the 'P' at all, just a few random characters. (And SS logged a parsing error in the logfile at startup assuming you had that enabled in dot vnmrc).  I can't get onto a Spectrum right now to check.  But If you haven't encountered that -  it sounds like it's fixed by now, great!

Re formatting/indents etc - I think we should be encouraging people to make the effort to put that in, and be good programmers, and prevent errors rather than reminding that it doesn't matter.  There have been a few requests for help on here with EventProcs that were impenetrable to understand unless you had the time to lay them out properly to have a close look at!

I do as you do, retain a formatted copy separately for understanding/ explaining purposes! Clearly the next time Spectroserver writes out its event config to the  EventDisp files it collapses all the white space out of rules, and EventProcs become gobbledygook to look at.

All Best

Dan.

Hi Robert,

Thanks for your support and can you explain me how it's working please.

I am not seeing any trap event ( 0x03b700af) send from the device to spectrum.

I can see only this event(0xfff00037) send from the device to spectrum  . so why are you using this 0x03b700af.

and if i want to create an new event procudure for 0xfff00037 , then want to create a new event with variable of attack id.

I have done the same thing what you have provided , but the attack id is not showing in the event .

Thanks,

john

Not sure I quite understand but let me try.  The device doesn't send 0x03b700af but rather a trap OID (1.3.6.1.4.1.3375.2.4.0.133) and varbind (1.3.6.1.4.1.3375.2.4.1.1 ) for bigipDosAttackStart.  0x03b700af is the event that's mapped to the bigipDosAttackStart trap that's included in the out of the box AlertMaps shipped with Spectrum ($SPECROOT/SS/CsVendor/ctron_cse33/AlertMap, in this case):

# bigipDosAttackStart                   bigipNotifyObjMsg
1.3.6.1.4.1.3375.2.4.0.133   0x03b700af 1.3.6.1.4.1.3375.2.4.1.1(1,0)

# bigipDosAttackStop                    bigipNotifyObjMsg
1.3.6.1.4.1.3375.2.4.0.134   0x03b700b0 1.3.6.1.4.1.3375.2.4.1.1(1,0)

You may have a customization in place that overrode the default mapping with 0xfff00037, so that could be why you don't see 0x03b700af coming in.  If that's the case, you can either remove the custom AlertMap entry and use the one that ships with Spectrum or you'll need to modify the event procedure to substitute 0xfff00037 and 0xfff00038 for 0x03b700af and 0x03b700b0 respectively and substitute new event codes for where I had 0xfff00037 and 0xfff00038 originally.  If you go with new event codes, you'll also need to create new EvFormat files for them as well (copy in ECE would work for this).

As far as not seeing the Attack ID, I see in the screen shot that you didn't modify the EvFormat to include "{S 2}", which is the variable that the Attack ID uses.  Hope that helps.

Hi Robert,

Thanks for your support and spending your valuable time for helping me  ,

and if you don't mind can you explain how to create the EVFormat file and how to handle the ECE in spectrum. it will help me to create a new events in our environment needs.

Thanks,

john.

Event Format (EVFormat) files are covered in the documentation here:  Event Format Files - CA Spectrum - 10.3 - CA Technologies Documentation .  But before you create new files, why do you have 0xfff00037 overriding the out of the box 0x03b700af event?

I would remove the custom trap mapping and then what I provided will work.

Hi Robert,

Thanks for your support...

Thanks,

john.

Hi Robert,

Thanks for your support and can you explain me how it's working please.

I am not seeing any trap event ( 0x03b700af) send from the device to spectrum.

I can see only this event(0xfff00037) send from the device to spectrum  . so why are you using this 0x03b700af.

and if i want to create an new event procudure for 0xfff00037 , then want to create a new event with variable of attack id.

Thanks,

john

Hi Robert,

Thanks for your support  and kindly help me how it's working because same thing what you provided above i just copy paste into our environment but the attack id is not showing..

for 0x3b700af

for 0xfff00037

Thanks,

john.