FIDO: generic alarm matching criteria and examples

FIDO: generic alarm matching criteria and examples

FIDO has several attributes, including 'impact' and 'help files', 'time of day', 'holddown' and 'group_correlation' that use the same alarm matching criteria.

Alarms are processed in the following order:

items {exact matches}
pre_attributes: {override for CIDR based matching}
ip: {CIDR based matching}
attributes: {generic criteria}

Exact matches

items:
  device=r-m10i-lab.wiscnet.net_object=Routing-Engine-0_jnxOperatingCPU.rrd-juniper_cpu:
    value: $value

IP based matching, IPv4 and IPv6

ip:
  144.92.233.224/27:
    fido_help_files:
      value: MadIX
    fido_impact:
      reason: madIX peering
      value: '4'

Alarm attribute based matching

Rules are processed in numerical order.  Each rule can have submatches (<matches> tag).  The <matches> rules form a logical AND. 

Under each 'matches:' rule, there can be either a 'defined', 'equal', -OR- one or more 'match' value or 'match_re' values.  'match' values are perl regular expressions.  If you set the 'match_re = true' keyword [see BAN example below] special characters will be preserved for the regexp match. 

There can also be one more more FIDO alarm 'key_match' values.  These rules form a mesh logical OR.  So, for example, in the below rule 10 match 10, only device, descr or info needs to match s-vahosp-101-1-access to be accepted by the rule.

---
attributes:
    #time: 2pm-4pm,6pm-8pm
    #valid:
    #  start: 2018/12/10 3pm
    #  end: 2018/12/12 3pm
  '1000':
    fido_help_files:
      value: BanVAHospital
    matches:
      '10':
        key_match:
          ___infohash___Descr: ''
          descr: ''
          device: ''
        match: s-vahosp-101-1-access
  '1040':
    fido_help_files:
      value: BAN Support Process
    matches:
      '10':
        key_match:
          ___infohash___Descr: ''
          descr: ''
          device: ''
        match: ^fa-.*-ban
        match_re: 'true'

See Also: