If anyone who's had more experience with the cacti syslog plugin, that can answer a couple of my questions, it will be greatly appreciated.
I got the syslog plugin (1.22-2) from docs.cacti working with the latest release of cacti (0.8.8f), running with syslog-ng. Tables get populated, I've managed to circumvent some of the problems described in my thread here -> http://forums.cacti.net/viewtopic.php?f=14&t=55515, everything seems to be working.
I got around to testing the "Alert rules" and "Removal rules" features, and this is the part I have some questions on.
The most basic rule that popped into my mind was regarding cisco equipment. If you're using cacti to monitor a network, you're sure to want an alert whenever a port changes LINK-STATE, for example.
I've created an alert rule that "Contains" "LINK-3-UPDOWN: Interface % changed state to down". It is my understanding that % is considered as a wildcard. The rule seems to be working when I fiddle around with the ports, alerts get created.
Ok, we have an alert rule, but we also need a removal rule. I've created 2 removal rules:
1st of, if LINK comes up by itself -> "Contains" "LINK-3-UPDOWN: Interface % changed state to up"
- maybe someone restarted the equipment at the other end of the cable. Surely we don't need an open alert for a small link flap.
2nd of, if LINK turns to administratively down -> "Contains" "LINK-5-CHANGED: Interface % changed state to administratively down"
- maybe we had something connected at the other end of the cable that we turned off, so we put the port in shutdown.
I've created the rules mentioned above and started fiddling with the ports. The alert rule seems to do it's job, it opens up alerts as expected, whenever a LINK goes down. However, the removal rules don't seem to be working. Either that, or I have a poor understanding of what they're supposed to do. I'm expecting that the alerts be removed from "Syslog" --> "Alert Log"
Reading on the forums, I've found commands like php -q <cacti_path>/plugins/syslog/syslog_process.php --debug . Here is my output for the command:
By the looks of it, everything matches. I have 2 Removal rules, and 3 Alert rules (1 that I mentioned above, and 2 that fiddled around with, non-important to the discussion), but I have 0 Messages for removal rules.$ php -q plugins/syslog/syslog_process.php --debug
SYSLOG: Syslog Table IS Partitioned
SYSLOG: Unique ID = 70
SYSLOG: Found 0, New Message(s) to process
SYSLOG: Stats 0, Record(s) to the 'syslog_statistics' table
SYSLOG: Found 2, Removal Rule(s) to process
SYSLOG: Deleted 0, Messages for removal rule 'Cisco Link State changed to up'
SYSLOG: Deleted 0, Messages for removal rule 'Cisco Link State changed to administratively down'
SYSLOG: Found 3, Alert Rules to process
SYSLOG: Moved 0, Message(s) to the 'syslog' table
SYSLOG: Deleted 0, Already Processed Message(s) from incoming
SYSLOG: Deleted 0, Syslog Statistics Record(s)
SYSLOG: Deleted 0, Syslog alarm log Record(s)
SYSLOG: Processing Reports...
SYSLOG: We have 0 Reports in the database
SYSLOG: Finished processing Reports...
<date> - SYSTEM SYSLOG STATS:Time:0.04 Deletes:0 Incoming:0 Removes:0 XFers:0 Alerts:3 Alarms:0 Reports:0
Long story short, my questions are:
1. Whenever an alert opens, isn't the removal rule supposed to match it, and close the alert (like a ticket)? Should alerts remain open in the "Alerts Log" ?
2. Taking this particular case, what happens the moment when more interfaces change states ? For example if Gi1/1, Gi1/2, Gi1/3 all change states to down in this order, and Gi1/2 comes up. How does the alerting system recognize which one of the interfaces changed states, to close the alert. Will it close the alert for Gi1/2, or will it close for the first one that issued an alert (like Gi1/1). Is there a variable that can be matched in alert opening/removal ?
Thank you!
-tbone