Page tree
Skip to end of metadata
Go to start of metadata

In the following figure, the from clause executes the Abstract rule when a LOGIN_FAILURE event is received from a system with an IP address within the specified IP range. The setup clause populates the slots of the abstraction, or SERVERS_LOGIN_ATTACK, event. The when clauses keep a count of servers under login attack by incrementing the num_servers slot when the LOGIN_FAILURE event's status is OPEN and decreases the count when the event closes.

Abstract rule example 1 

abstract SLA :
   SERVERS_LOGIN_ATTACK($SLA)
   from LOGIN_FAILURE($LF)
      where [ mc_host_address: ip_matches '200.200.*.<25']
   setup {
      $SLA.date = $LF.date ;
      $SLA.mc_host = 'SUBNET' ;
      $SLA.mc_host_address = '200.200.0.0' ;
      $SLA.msg = "Servers under login attack" ;
   }
   when $LF.status : equals OPEN
   {
      $SLA.num_servers = $SLA.num_servers + 1 ;
   }
   when $LF.status : equals CLOSED
   {
      $SLA.num_servers = $SLA.num_servers - 1 ;
   }
END

Consider a scenario in which several events have to be aggregated, indicating that services have not been restarted even after the restart of a server. One abstract event per server is required. To define this, the following event class is used:

Abstract rule example 2

MC_EV_CLASS : 
   SERVICES_NOT_RESTARTED ISA EVENT
   DEFINES
   {
        mc_host:	dup_detect=yes;
	services:	LIST_OF STRING;	
   };
END

In the previously mentioned example , mc_host is a dup_detect slot, and services is a list slot in which the name of the service that has not been restarted is stored. The following abstract rule implements the scenario described.

Abstract rule for event relationship example 2

abstract services_not_restarted_after_server_reboot:
   {
      description="a SERVICES_NOT_RESTARTED abstraction event is generated for each server\
        that has been (re)started and on which some services are not (yet) started"
  }:
  SERVICES_NOT_RESTARTED($SNR:"abstraction (services down after restart)":[mc_host,date_reception,services,msg,status])
  from SERVICE_DOWN($SD:"abstracted (service down)":[mc_object,date_reception,msg,status])
        using
        {
	   SERVER_START($SS:"server_start event":[mc_host,date_reception,msg,status])
           where [$SS.mc_host == $SD.mc_host AND
		  $SS.status == OPEN AND
		  $SS.date_reception < $SD.date_reception]
        }
        setup
                {
			$SNR.mc_host = $SS.mc_host;
                }

        when $SD.status: equals OPEN
                {
                add_to_list($SD.mc_object, $SNR.services) ;
                }

       when $SD.status: equals CLOSED
                {
                rem_from_list($SD.mc_object, $SNR.services) ;
                 
                if( $SNR.services equals [] ) then
                    {
                        $SNR.status = CLOSED ;
                        $SNR.msg= 'Every services are now started';
                        $SS.status=CLOSED;
                        opadd($SS, 'EVENT_CLOSED', 'Closed after every services have been started');
                        set_relationship_description(sprintf('Every previously pending services after %s was booted have now been started',[$SS.mc_host]));
                    };
                }

END

Consider the following sequence of events:

at 10:00:00

SERVER_START;event_handle=100;mc_host=host2;END

at 10:01:00

SERVICE_DOWN;event_handle=200;msg="after server start";mc_host=host2;mc_object=service1;END

at 10:02:00

SERVICE_DOWN;event_handle=300;msg="after server start";mc_host=host2;mc_object=service2;END

at 10:02:30

SERVICE_DOWN;event_handle=400;msg="after server start";mc_host=host2;mc_object=service3;END

After the first SERVICE_DOWN event is received and the SERVICES_NOT_RESTARTED event is generated, one abstraction event is generated:

SERVICES_NOT_RESTARTED; event_handle=202;mc_host=host2;services=[service1];END

After the SERVICE_DOWN event is received, the abstraction event is generated:

SERVICES_NOT_RESTARTED; event_handle=202;mc_host=host2;services=[service1,service2,service3];END

 

1 Comment

  1. Second example of Abstract rule does not work as expected as following when clause in rule fails to evaluate when services slot of SERVICES_NOT_RESTARTED event is empty.


    when $SNR.services: equals []

    {

        $SNR.status = CLOSED ;

        $SNR.msg= 'Every services are now started';

        $SS.status=CLOSED;

        opadd($SS, 'EVENT_CLOSED', 'Closed after every services have been started');

        set_relationship_description(sprintf('Every previously pending services after %s was booted have now been started',[$SS.mc_host]));

    }


    Below is the correct Abstract rule.


    abstract services_not_restarted_after_server_reboot:

    {

          description="a SERVICES_NOT_RESTARTED abstraction event is generated for each server\

            that has been (re)started and on which some services are not (yet) started"

    }:

      SERVICES_NOT_RESTARTED($SNR:"abstraction (services down after restart)":[mc_host,date_reception,services,msg,status])

      from SERVICE_DOWN($SD:"abstracted (service down)":[mc_object,date_reception,msg,status])

            using

            {

                SERVER_START($SS:"server_start event":[mc_host,date_reception,msg,status])

                    where [$SS.mc_host == $SD.mc_host AND $SS.status == OPEN AND $SS.date_reception < $SD.date_reception]

            }

            setup

            {

                $SNR.mc_host = $SS.mc_host;

            }


            when $SD.status: equals OPEN

            {

            add_to_list($SD.mc_object, $SNR.services) ;

            }


            when $SD.status: equals CLOSED

            {

                rem_from_list($SD.mc_object, $SNR.services) ;

                if (listlen($SNR.services) == 0) then

                {

                    $SNR.status = CLOSED ;

                    $SNR.msg= 'Every services are now started';

                    $SS.status=CLOSED;

                    opadd($SS, 'EVENT_CLOSED', 'Closed after every services have been started');

                    set_relationship_description(sprintf('Every previously pending services after %s was booted have now been started',[$SS.mc_host]));

                };

            }

    END