FIDO: generic alarm matching criteria and examples
FIDO: generic alarm matching criteria and examples
FIDO has several attributes, including 'impact' and 'help files', 'time of day', 'holddown' and 'group_correlation' that use the same alarm matching criteria.
Alarms are processed in the following order:
items {exact matches}
pre_attributes: {override for CIDR based matching}
ip: {CIDR based matching}
attributes: {generic criteria}
the 'same_as' keyword allows you to inherit actions from another match. As of 2022/03/16, same_as support is FIDO specific. See examples below.
IP based matching, IPv4 and IPv6
Alarm attribute based matching
Rules are processed in numerical order. Each rule can have submatches (<matches> tag). The <matches> rules form a logical AND.
Under each 'matches:' rule, there can be either a 'undefined', 'defined', 'equal', -OR- one or more 'match' or 'portTags' values. Invoking 'portTags' will try to match the given string through the NS::portTags module. 'match' and 'portTags' values are perl regular expressions that are quoted [($possible_match =~ m/\Q$_\E/i);]
IPs are matched against a trie.
Attributes are matched in numerical order of the rule
IP based matching, IPv4 and IPv6
ip:
206.108.255.0/24:
# any alarm with an IP in this range will be treated as impact 4, no matter the alarm type.
fido_impact:
reason: MICE peering
value: '4'
2001:504:27::/64:
same_as: 206.108.255.0/24
Alarm attribute based matching
Rules are processed in numerical order. Each rule can have submatches (<matches> tag). The <matches> rules form a logical AND.
Under each 'matches:' rule, there can be either a 'undefined', 'defined', 'equal', -OR- one or more 'match' or 'portTags' values. Invoking 'portTags' will try to match the given string through the NS::portTags module. 'match' and 'portTags' values are perl regular expressions that are quoted [($possible_match =~ m/\Q$_\E/i);]
For 'match', if you set the 'match_re = true' keyword, [see BAN example below] special characters will be preserved for the regexp match [($possible_match =~ m/$_/i);].
For 'match', if you set the 'match_CIDR = true' keyword, a less than or equal match will function. See example below.
There can also be one more more FIDO alarm 'key_match' values. These rules form a mesh logical OR. So, for example, in the below rule 10 match 10, only device, descr or info needs to match s-vahosp-101-1-access to be accepted by the rule.
---
attributes: # some time of day examples. these would be uncommented to actually do something # this rule is only in affect a few hours a day from 2018/12/10 3pm to 2018/12/12 3pm # you can use time OR valid, you don't need to use both.
#time: 2pm-4pm,6pm-8pm #valid: # start: 2018/12/10 3pm # end: 2018/12/12 3pm
'1000':
fido_help_files:
value: BanVAHospital
matches:
'10':
key_match:
___infohash___Descr: ''
descr: ''
device: ''
match: s-vahosp-101-1-access
'1040':
fido_help_files:
value: BAN Support Process
matches:
'10':
key_match:
___infohash___Descr: ''
descr: ''
device: ''
match: ^fa-.*-ban
match_re: 'true'
'1050':
# this keeps alarms that match in a 15 minute holddown
# the 'absolute_time' tidbit forces the comment to take place automatically
fido_holddown:
comment: $reason
reason: Juniper Fan
# one year
time: 525960
# item will stay auto commented
absolute_time: never
fido_impact:
reason: Juniper Fan
value: '4'
# different ways to match on the management network. You need seperate rules since 'matches' are a logical AND, not an OR, but the use of 'same_as' helps reduce errs.
'1200':
fido_help_files:
value: management network
fido_impact:
reason: management network
value: '3'
matches:
'20':
key_match: ___infohash___Descr
# note, this will match even if the descr is :RMI: for example
portTags:
RI: ''
'1210':
same_as: 1200
matches:
'10':
key_match:
device: ''
___infohash___Descr: ''
match:
^t-: ''
^s-.+-mgmt: ''
match_re: '1'
'1220':
same_as: 1200
matches:
'10':
key_match: interface
match:
fxp0: ''
# if this interface is so unimportant that it doesn't have a description, don't escalate it
100000:
fido_impact:
reason: interface has no description
value: '3'
matches:
'10':
key_match: test
equal: ifOperStatus
'20':
key_match: ___infohash___Descr
undefined: ''
101000:
# this keeps alarms that match in a 15 minute holddown
fido_holddown:
reason: impact escalation holddown
time: 15
matches:
10:
key_match: ___impact___value
match:
3: ''
4: ''
match_CIDR example: in this example, 128.104.1.128/25 matches because of 128.104.1.0/24
6000000:
matches:
10:
key_match: subnet4
match: 128.104.1.0/24
match_CIDR: 1
reason: test
value: 1.2K
matches:
10:
key_match: subnet4
match: 128.104.1.0/24
match_CIDR: 1
reason: test
value: 1.2K