FIDO: generic alarm matching criteria and examples

FIDO: generic alarm matching criteria and examples

FIDO has several attributes, including 'impact' and 'help files', 'time of day', 'holddown' and 'group_correlation' that use the same alarm matching criteria.

Alarms are processed in the following order:

items {exact matches}
pre_attributes: {override for CIDR based matching}
ip: {CIDR based matching}
attributes: {generic criteria}

the 'same_as' keyword allows you to inherit actions from another match.   As of 2022/03/16, same_as support is FIDO specific. See examples below.

IPs are matched against a trie.  

Attributes are matched in numerical order of the rule


IP based matching, IPv4 and IPv6

ip:
  206.108.255.0/24:
    # any alarm with an IP in this range will be treated as impact 4, no matter the alarm type.
    fido_impact:
      reason: MICE peering
      value: '4'
  2001:504:27::/64:
    same_as: 206.108.255.0/24

Alarm attribute based matching

Rules are processed in numerical order.  Each rule can have submatches (<matches> tag).  The <matches> rules form a logical AND. 

Under each 'matches:' rule, there can be either a 'undefined', 'defined', 'equal', -OR- one or more 'match' or 'portTags' values.  Invoking 'portTags' will try to match the given string through the NS::portTags module.  'match' and 'portTags' values are perl regular expressions that are quoted [($possible_match =~ m/\Q$_\E/i);]
For 'match', if you set the 'match_re = true' keyword, [see BAN example below] special characters will be preserved for the regexp match [($possible_match =~ m/$_/i);].
For 'match', if you set the 'match_CIDR = true' keyword, a less than or equal match will function.  See example below.
There can also be one more more FIDO alarm 'key_match' values.  These rules form a mesh logical OR.  So, for example, in the below rule 10 match 10, only device, descr or info needs to match s-vahosp-101-1-access to be accepted by the rule.

---
attributes: # some time of day examples. these would be uncommented to actually do something # this rule is only in affect a few hours a day from 2018/12/10 3pm to 2018/12/12 3pm # you can use time OR valid, you don't need to use both.
    #time: 2pm-4pm,6pm-8pm
    #valid:
    #  start: 2018/12/10 3pm
    #  end: 2018/12/12 3pm
  '1000':
    fido_help_files:
      value: BanVAHospital
    matches:
      '10':
        key_match:
          ___infohash___Descr: ''
          descr: ''
          device: ''
        match: s-vahosp-101-1-access

  '1040':
    fido_help_files:
      value: BAN Support Process
    matches:
      '10':
        key_match:
          ___infohash___Descr: ''
          descr: ''
          device: ''
        match: ^fa-.*-ban
        match_re: 'true'
  '1050':
    # this keeps alarms that match in a 15 minute holddown
    # the 'absolute_time' tidbit forces the comment to take place automatically

    fido_holddown:
      comment: $reason
      reason: Juniper Fan

      # one year
      time: 525960
      # item will stay auto commented
      absolute_time: never

    fido_impact:
      reason: Juniper Fan
      value: '4'

   # different ways to match on the management network.  You need seperate rules since 'matches' are a logical AND, not an OR, but the use of 'same_as' helps reduce errs.
  '1200':
    fido_help_files:
      value: management network
    fido_impact:
      reason: management network
      value: '3'
    matches:
      '20':
        key_match: ___infohash___Descr
	# note, this will match even if the descr is :RMI: for example
        portTags:
          RI: ''

  '1210':
    same_as: 1200
    matches:
      '10':
        key_match:
          device: ''
          ___infohash___Descr: ''
        match:
          ^t-: ''
          ^s-.+-mgmt: ''
        match_re: '1'

  '1220':
    same_as: 1200
    matches:
      '10':
        key_match: interface
        match:
          fxp0: ''
  # if this interface is so unimportant that it doesn't have a description, don't escalate it
  100000:
    fido_impact:
      reason: interface has no description
      value: '3'
    matches:
      '10':
        key_match: test
        equal: ifOperStatus
      '20':
        key_match: ___infohash___Descr
        undefined: ''
  101000:
    # this keeps alarms that match in a 15 minute holddown
    fido_holddown:
      reason: impact escalation holddown
      time: 15

    matches:
      10:
        key_match: ___impact___value
        match:
          3: ''
          4: ''



match_CIDR example: in this example, 128.104.1.128/25 matches because of 128.104.1.0/24
  6000000:
    matches:
      10:
        key_match: subnet4
        match: 128.104.1.0/24
        match_CIDR: 1
    reason: test
    value: 1.2K


KeywordsFIDO help file helpfile generic alarm matching criteria examples   Doc ID37246
OwnerMichael H.GroupNetwork Services
Created2014-02-03 11:48:21Updated2023-09-14 11:53:03
SitesNetwork Services, Systems & Network Control Center
Feedback  0   0