FIDO: generic alarm matching criteria and examples
FIDO: generic alarm matching criteria and examples
FIDO has several attributes, including 'impact' and 'help files', 'time of day', 'holddown' and 'group_correlation' that use the same alarm matching criteria.
Alarms are processed in the following order:
items {exact matches}
pre_attributes: {override for CIDR based matching}
ip: {CIDR based matching}
attributes: {generic criteria}
Exact matches
items:
IP based matching, IPv4 and IPv6
ip:
Alarm attribute based matching
Rules are processed in numerical order. Each rule can have submatches (<matches> tag). The <matches> rules form a logical AND.
Under each 'matches:' rule, there can be either a 'defined', 'equal', -OR- one or more 'match' values. 'match' values are perl regular expressions that are quoted [($possible_match =~ m/\Q$_\E/i);] If you set the 'match_re = true' keyword [see BAN example below] special characters will be preserved for the regexp match [($possible_match =~ m/$_/i);]
device=r-m10i-lab.wiscnet.net_object=Routing-Engine-0_jnxOperatingCPU.rrd-juniper_cpu:
value: $value
IP based matching, IPv4 and IPv6
ip:
144.92.233.224/27:
fido_help_files:
value: MadIX
fido_impact:
reason: madIX peering
value: '4'
Alarm attribute based matching
Rules are processed in numerical order. Each rule can have submatches (<matches> tag). The <matches> rules form a logical AND.
Under each 'matches:' rule, there can be either a 'defined', 'equal', -OR- one or more 'match' values. 'match' values are perl regular expressions that are quoted [($possible_match =~ m/\Q$_\E/i);] If you set the 'match_re = true' keyword [see BAN example below] special characters will be preserved for the regexp match [($possible_match =~ m/$_/i);]
There can also be one more more FIDO alarm 'key_match' values. These rules form a mesh logical OR. So, for example, in the below rule 10 match 10, only device, descr or info needs to match s-vahosp-101-1-access to be accepted by the rule.
---
attributes:
#time: 2pm-4pm,6pm-8pm
#valid:
# start: 2018/12/10 3pm
# end: 2018/12/12 3pm
'1000':
fido_help_files:
value: BanVAHospital
matches:
'10':
key_match:
___infohash___Descr: ''
descr: ''
device: ''
match: s-vahosp-101-1-access
'1040':
fido_help_files:
value: BAN Support Process
matches:
'10':
key_match:
___infohash___Descr: ''
descr: ''
device: ''
match: ^fa-.*-ban
match_re: 'true'