# look for CHANGEME in the file below to modify it for your site. # Rules in this area get all events from nagios log, event stream or internally # generated. # Set variables on SEC startup or soft restarts. These variables can be used # in actions and contexts. They are not usable in patterns. # %notify - email addresses for notifications via email. # %eventStreamFile - same as argument given to ext_corr.o --file argument. # %nagiosCmd - the nagios external command file # %S - the control service for the module second component of --control # %H - the host for the control service for the module first # component of --control # CHANGEME - change variables below for your site. type = single desc = set variables and things on startup or restart of sec (core) ptype = regexp pattern = SEC_(STARTUP|RESTART|SOFTRESTART) context = SEC_INTERNAL_EVENT action = eval %notify (return "admin\@example.com"); \ eval %eventStreamFile (return "/tmp/sec"); \ eval %nagiosCmd (return "/var/spool/nagios/nagios.cmd"); \ eval %S (return "ZSecControl"); \ eval %H (return "ops01"); # This rule captures events/lines from the nagios log file so that the # other rules won't try to process them. There is another file with # rules that handle the log file. Meant to be used with start_sec. type = suppress desc = capture nagios log messages (core) ptype = tvalue pattern = true context = NAG_LOG # Start rules that apply to the event stream # Format of the events is a 4 character prefix followed by a nagios # PROCESS_SERVICE_CHECK_RESULT passive command. See: # http://nagios.org/developerinfo/externalcommands/commandinfo.php?print=true&command_id=114 # for details on the nagios passive command. # # The 4 character prefix consists of: # character 1 - current service status # 0 - current status of service is ok # 1 - current status of service is warning # 2 - current status of service is critical # 3 - current status of service is unknown # character 2 - module mode # 2 - pass event to nagios (mode 2) # 3 - pass modified event to nagios (mode 3) # 4 - remove event from nagios (mode 4 not yet implemented) # character 3 - active or passive event # a - active event # p - passive event # character 4 - space delimiter # # start rules for the nagios event stream # # default core rules for SEC/Nagios integration # Map the poll from SecReport to SecAliveCheck to prove that sec is running # and processing events. type = single desc = Handle SEC Keepalive (core) ptype = regexp rem = CHANGEME replace ops01 with the name of your nagios host pattern = ops01;SecReport.*Testing SEC. action = write %nagiosCmd ([%u] PROCESS_SERVICE_CHECK_RESULT;%H;SecAliveCheck;0;OK: SEC is forwarding events) # rotate file that feeds the events from nagios to sec every day at 6AM. # and detect the event caused by scheduled event file rotation # This will be the first event in the new file, so if we see it # The NEB module has completed the rotation and is writing to the # new file and SEC has detected the files are shuffled and is receiving # the new event stream. If we don't see it we have a problem and need # to send email type = single desc = if file rotation occurs, delete the time_rotation context (core) ptype = substr rem = CHANGEME replace ops01 and ZSecControl with the name of your nagios host rem = and command service (specified by --control passed to the rem = nagios module) and replace /tmp/sampler with the argument to rem = the --file option. pattern = PROCESS_SERVICE_CHECK_RESULT;ops01;ZSecControl;0;Output file /tmp/sampler reopened context = time_rotation action = delete time_rotation # generate the rotation every morning at 6AM. type = calendar time = 00 06 * * * desc = rotate /etc/sample within 60 seconds once a day (core) rem = move file, start context that will detect if rotation rem = not done is 60 seconds, write event to cause module to rotate file action = shellcmd /bin/mv %eventStreamFile %{eventStreamFile}.old; \ create time_rotation 60 (pipe '%s' /bin/mail -s "%eventStreamFile file rotation failure" %notify ); \ write %nagiosCmd ([%u] PROCESS_SERVICE_CHECK_RESULT;%H;%S;0;rotate|) # Forward any active mode 3 event that hasn't been handled above to # nagios. This will make the event take effect and change the status # of the service. # type = single desc = Forward Active Mode 3 Events (core) ptype = regexp pattern = ^(.3a )(.*)$ action = write %nagiosCmd $2