Forum Discussion
smp_86112
Cirrostratus
CirrostratusCustom SNMP Traps - clarify "match string" usage
Reference the article posted by deb a few days ago:
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=256
After reading this article, I...
smp_86112Cirrostratus
CirrostratusI'm still not sure I have this right. Let me restate to confirm.
alertd receives a message from syslog-ng which contains both an alert code and a message string. alertd looks in bigip_error_maps.dat to find an alert definition which matches the alert code or message string. Once a map is found, it performs the action matching the definition in the user_alert.conf (or alertd.conf).
Is that right?
If it is, then I still don't understand why a match string can/should be specified in user_alert.conf, since the mapping is done with the bigip_error_maps.dat file and not user_alert.conf.
To illustrate what I'm getting at, take the example in the article.
syslog-ng sends an alert with a matching message string "FAILED LOGIN admin FROM 192.168.1.1 FOR console, Authentication Failure" (I don't know what this alert really looks like). alertd finds the map between "FAILED LOGIN (.*) FROM (.*) FOR (.*), Authentication failure" and "BIGIP_AUTH_FAIL" alert in bigip_error_maps.dat, and sends the trap matching that definition in user_alert.conf:
alert BIGIP_AUTH_FAIL "FAILED LOGIN (.*) FROM (.*) FOR (.*), Authentication failure" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.27"
}
Why can/should the message string be specified in user_alert.conf? Hasn't alertd already found the approprate alert definition by the time it needs to use it?
In addition, what controls the message string sent by syslog-ng?
