SEC   

From OzmoWiki

Simple Event Coorelator (sec.pl) is AWESOME. But you probably came here knowing that. Below are some intermediate to advanced tips I have picked up along the way.

Defining a Map for Data

Problem: I had a number of ports on a switch that needed to be identified individually. To the server team, merely saying Gig3/39 was down did not mean diddly-squat. To be efficient, they needed proper server names.

Solution: Rather than build x number of rules for each port, containing names and actions, I combined ALL the rules using a hashmap. First, I created a friendlynames.txt which held the translations. In the .sec file, first load all the hashes as contexts. Then, when a monitored line comes through with a matching pattern it will trigger the action ONLY if the hash exists (checked as a context). Finally, return the hash as a variable and do what you will with it.

/etc/sec/friendlynames.txt
==========================
GigabitEthernet1/37=TEST SERVER
GigabitEthernet3/39=IMPORTANT SERVER

/etc/sec/testing.sec
====================
type=Single
desc=Load hashes at startup 
ptype=SubStr 
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( open(FILE, "</etc/sec/friendlynames.txt"); \
    while (<FILE>) { chomp; my ($key, $val) = split /=/; $hash{"$key"} = $val; })

#Aug  1 12:14:54 switchname 362351: %LINK-3-UPDOWN: Interface GigabitEthernet1/37, changed state to down
type=Single
desc=Fire Event 
ptype=RegExp  
pattern=%LINK-3-UPDOWN: Interface ([\w\/]+), changed state to down
context= =($hash{"$1"}) 
action=eval %host ( return $hash{"$1"}; ); logonly **** Uh-oh! Problem with %host ****

Credits

Thanks to the crew at the Simple-Evcorr Mailing List for their assistance.