|
|
[ Bottom of Page | Previous Page | Next Page | Contents | Index ]
The following example shows the general structure of a simple rule:
simple_rule: rule_name:
description: 'description_text'
directive: directives
event: event_filter
where [
attribute_conditions
]
when:
event_conditions:
event_actions
| Event Action | Description |
|---|---|
| change_event_severity | Specifies a new value for the severity attribute. Severity
can be UNKNOWN, HARMLESS, WARNING, MINOR, CRITICAL, and FATAL.
Syntax: change_event_severity(new_severity) |
| change_event_status | Specifies a new value for the status attribute. Status
can be OPEN, RESPONSE, ACK, or CLOSED.
Syntax: change_event_status(new_status) |
| drop_duplicate_event |
Checks for the existence of a duplicate event in the event cache having a status other than CLOSED within a time window (in whole minutes). If one exists, the repeat_count attribute of the existing event is incremented by one and the newly received event is dropped. Syntax: drop_duplicate_event(time_window) |
| exec_program |
Runs a system command, shell script, or other program. The default search path is $BINDIR/TME/TEC. The commands, scripts, or programs are run on the same node as the event server. See exec_program for additional information about the arguments for this event action. The arguments for the exec_program rule language predicate are similar. Note:
For the exec_program event action in a simple rule, only event attributes
are valid values for the _arg_list argument, unlike
the exec_program rule language predicate for which you can specify any values
for the _arg_list argument.
Syntax: exec_program(prog_name, _format_string, _arg_list, watch_status) |
| exec_task |
Runs a task from the specified task library. By default, tasks are run on the same node as the event server. Proper access to a task library is necessary to use this action. See exec_task for additional information about the arguments for this event action. The arguments for the exec_task rule language predicate are similar. Note:
For the exec_task event action in a simple rule, only event attributes are
valid values for the _arg_list argument, unlike the
exec_task rule language predicate for which you can specify any values for
the _arg_list argument.
Syntax: exec_task(task_name, format_string, _arg_list, watch_status) |
| forward_event | Sends an event to a different event server. There must
be a ServerLocation option specified in the tec_forward.conf file in the TEC_RULES
subdirectory of the rule base. See the description of forward_event for additional information about the tec_forward.conf file.
Syntax: forward_event() |
| set_event_message | Specifies the text for the msg attribute in the event.
This can be an informational message or it can contain the value of another
attribute. See set_event_message for additional
information about the arguments for this event action. The arguments for the
set_event_message rule language predicate are similar.
Note:
For
the set_event_message event action in a simple rule, only event attribute
names are valid values for the _value argument, unlike
the set_event_message rule language predicate for which you can specify any
values for the _value argument.
Syntax: set_event_message(_format, [_value]) |
The following example simple rule changes an Su_Failure event to a severity of FATAL if an su command (switch user) to root fails three times within five minutes
simple_rule: escalate_su_failure:
description: 'Escalate more than 3 su root failures
in 5 minutes.'
event: Su_Failure
where [ to_user: equals 'root' ]
when: frequency_exceeds 3 within 5 minutes:
change_event_severity('FATAL').
[ Top of Page | Previous Page | Next Page | Contents | Index ]