You configure aggregates in the Aggregate Section of the local copy of my_hook_syslog.asl rule set, located in BASEDIR/smarts/local/rules/icoi-syslog directory. “Using the Trap Adapter Aggregate parameter” on page 69 provides general information about Aggregates.
The following example illustrates how to use the aggregate parameter with the Syslog Adapter:
/*
* my_hook_syslog.asl - Hook adapter for
* any syslog related customizations.
*
* Copyright (C) 1997, System Management ARTS (SMARTS)
* All Rights Reserved
*/
debug = FALSE;
ASLNAME = " ".getRuleFileName().": ";
DISCARD = "TRUE";
CLEAR_SYSLOG = "FALSE";
/*
* This interval (in seconds) will be used to batch updates to
* notifications. In case, where a high frequency of
* notifications occur, batching will improve performance.
* Setting this interval to 0, will disable batching.
*/
BATCH_NOTIFY_INTERVAL = 10;
CLASSNAME = "Syslog";
INSTANCENAME = "";
EVENTNAME = "";
SEVERITY = "2";
EVENTTEXT = "";
CATEGORY = "";
EXPIRATION = "300";
STATE = "";
INMAINTENANCE = "FALSE";
CLEARONACKNOWLEDGE = "TRUE";
EVENTTYPE = "";
USERDEFINED1 = "";
USERDEFINED2 = "";
USERDEFINED3 = "";
USERDEFINED4 = "";
USERDEFINED5 = "";
USERDEFINED6 = "";
USERDEFINED7 = "";
USERDEFINED8 = "";
USERDEFINED9 = "";
USERDEFINED10 = "";
ELEMENTCLASSNAME = "";
ELEMENTNAME = "";
SYSNAMEORADDR = "";
UNKNOWNAGENT = "IGNORE";
LOGFILE = "NONE";
/* Need to Declare these, if you want Aggregates
* --------------------------------------------- */
AGG_EVENTNAME = "";
AGG_ELEMENTNAME = "";
AGG_EVENTTEXT = "";
/*
* Input Variables: Following are the variable declarations,
* which hold the Syslog parsed values.
* -------------------------------------------------------- */
SYSLOGTIME = "";
HOST = "";
APPLICATION_NAME = "";
PROCESS_ID = "";
MESSAGE = "";
if (debug) { print(time().ASLNAME."Activated"); }
/*
* Start Rule
* ---------- */
START {
input=MESSAGE;
MODIFY_ATTRIBUTES
CREATE_AGGREGATE
} do {
if (debug) { print(time().ASLNAME."Done with my_hook_syslog.asl ");}
return;
}
CREATE_AGGREGATE {
} do {
// If you see strings "CPU" and "HighUtilization" in
// the syslog
// message, then generate and aggregate.
// --------------------------------------------------
if (glob("*CPU*",MESSAGE) &&
glob("*HighUtilization*",MESSAGE)) {
AGG_EVENTNAME = "Degraded";
AGG_ELEMENTNAME = HOST;
AGG_EVENTTEXT = "Host [".HOST."] is Degraded";
}
}
MODIFY_ATTRIBUTES {
} do {
CLASSNAME = "Processor" ? LOG;
INSTANCENAME = "PRO-".HOST ? LOG;
EVENTNAME = substring(MESSAGE, 0, 30) ? LOG;
SEVERITY = "2" ? LOG;
EVENTTEXT = MESSAGE ? LOG;
CATEGORY = "" ? LOG;
EXPIRATION = "7200" ? LOG; //PR:6617
STATE = "NOTIFY" ? LOG;
INMAINTENANCE = "FALSE" ? LOG;
CLEARONACKNOWLEDGE = "TRUE" ? LOG;
EVENTTYPE = "DURABLE" ? LOG;
ELEMENTCLASSNAME = "Processor";
ELEMENTNAME = "PRO-".HOST ? LOG;
UNKNOWNAGENT = "CREATE";
LOGFILE = "Processor.log";
}
DEFAULT {
msg:{.. eol}
} do {
print(time().ASLNAME."Reached Default rule: ".msg);
this->clearVariables();
}
/*
* These variables describe the formatting of this file. If
* you don't like the template defaults, feel free to change
* them here (not in your .emacs file).
*
* Local Variables:
* mode: C++
* End:
*/
