Looper - Alert Routing System.
Mohit Muthanna [mohit AT muthanna DOT com]

Module Reference

Netcool Notes: Make sure the interfaces file is copied to the FreeTDS home directory. If your looper installation directory was /opt/looper then the freetds dir is /opt/looper/freetds. Also note that, since version 0.5, the netcool modules don't need username and password. They use the Netcool probe login accounts. This way, ProbeWatch messages are enabled. Use the username and password only if the objectserver is running in secure mode.

Debugging Notes: The 'debuglevel' token in all these modules are used to set the level of debugging output generated by the modules. These are the values available:

0 - System Events (Only important system events are logged here)
1 - Errors
2 - Warnings
3 - Informational
4 - Debug

So if you set the 'debuglevel' to 4, you get all levels logged; if set to 3, only 3 and below are logged. Get it?

Input Modules

snmpd_in : SNMP trap receiver

Listens for SNMPv1 (or v2) traps and returns trap information and a raw trap packet (which can be forwarded as-is to the SNMP output module). Also parses MIB files (since v0.8).

Configuration Tokens:

debugmode: Debug Level
debugmessages: Path to file to log debug messages

Additional Configuration Tokens for MIB parsing (0.8 and higher):
parsemibs: Set to '1' to enable MIB parsing.
mibpath: Colon separated list of directories to check for MIB files.
mibrepository: Directory to store pre-compiled MIBS (speeds up execution time on repeated runs).
enabledmibs: Comma separated names of MIBs to enable. Dependencies are automatically resolved. Eg. 'SNMPv2-SMI, RFC-1215, BRIDGE-MIB'.

Generated Tokens:

community: Trap community string
enterprise: Enterprise OID
agentaddr: Source IP address
generic-trap: Generic trap number
specific-trap: Specific trap number
uptime: Uptime
rawtrap: Base64 encoded raw trap data, useful for trap forwarding. (v0.6 and higher)
enterprisename: Resolved MIB Enterprise name. (If 'parsemibs' is enabled)
trapname: Resolved name of trap. (If 'parsemibs' is enabled)
trapdesc: Trap description. (If 'parsemibs' is enabled)

Varbinds are tokenized as so. The OID numbers are in tokens varbindOID0, varbindOID1, varbindOID2 etc. And values are in varbind0, varbind1, varbind2, varbind3 etc. Also (as of version 0.6) varbindTag1, varbindTag2 etc. contains the numeric ASN tag header values. If 'parsemibs' is enabled, then varbindResolved0..x returns the resolved OID names as well.


syslog_in : Syslog Reader

Monitors a syslog file or pipe for events and generates tokens out of them. Note that this module reads the file right from the top.

Configuration Tokens:

logifile: Path to file that syslogd writes to. syslog_in reads and parses this file.
sleeptime: Seconds to sleep before checking for updates.
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file. debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

date: Date and time of syslog event
node: Hostname where event came from
desc: Description of event


netcool_in : Netcool Alert Reader

Continuously polls netcool for new events. Can be used to feed to file or database.

Configuration Tokens:

server: Server Name (NCOMS)
username: Login username (only set if using secure mode)
password: Login password (only set if using secure mode)
sybasehome: Path to FreeTDS home dir. Usually /opt/looper/freetds.
sleeptime: Seconds to sleep before checking for updates.
filter: Netcool gateway style filter (eg., Type = 1 AND Node = 'prometheus')
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

This module populates the %inputTokens hash with field/value pairs from the database.


apacheerrorlog_in : Apache Error Log Reader


Monitors the Apache HTTP error_log file for events and returns tokens related to the event.

Configuration Tokens:

logifile: Path to file that Apache writes to. apacheerrorlog_in reads and parses this file.
sleeptime: Seconds to sleep before checking for updates.
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file. debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

date: Date and time of error event
level: Error level
desc: Description of error
client: Client IP address (if available)


socket_in : Forking Socket Reader

A concurrent forking socket server that listens for Token / Value information on the specified port and feeds it into Looper.

Configuration Tokens:

port: Listen port allow: Comma separated regexes of allowed IP addresses. Set to '*' for any. Eg. '127.0.0.1, 192.168.1.2'
lockfile: Lock file to use for concurrent event feeds; if unset defaults to '/tmp/socket_in.lock'
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

_host: Hostname:Port of received event
This is followed token value pairs depending on what is received by the socket server.


logfile_in : File / Pipe reader.

Monitors a file for new log entries and sends the line to Looper based on a regex match.

Configuration Tokens:

logfile: File name
pipe: set to '1' if reading from a named pipe.
reopen_pipe: set to '1' if pipe should be reopened after a process disconnects from it.
sleeptime: Block time for reads
regexp: Regular expression which is applied every time an entry is received; only matching lines are fed to Looper.
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file. debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

line: The entire matched line.


snort_in : Snort IDS CSV log reader

Monitors a Snort IDS CSV file or pipe. Make sure the the line "output alert_CSV: /path/to/file default" is set in your snort rules file.

Configuration Tokens:

logfile: File name
pipe: set to '1' if reading from a named pipe.
reopen_pipe: set to '1' if pipe should be reopened after a process disconnects from it.
sleeptime: Block time for reads
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file. regexp: Regular expression which is applied every time an entry is received; only matching lines are fed to Looper.
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

src, srcport, dst, dstport, id, msg etc. etc. See snort manual section "CSV output" for a list and description of the tokens.


Output Modules

snmptrap_out : SNMP Writer / Forwarder / Exploder

Used to generate SNMP traps. Traps can be user-defined, or forwarded in the raw using the 'rawtrap' token.

Configuration Tokens:

managementstation: Station to send traps to.
port: UDP port number (162)
community: Community name
debugmode: Debug Level
debugmessages: Path to file to log debug messages
rawmode: Set to '1' to ignore all tokens and process in "RAW" mode. Useful for trap forwarding. Ripe mode tokens are ignored. See the sample trapfwd conf and rules files for examples.(v0.6 and higher)

RIPE mode configuration tokens: agentaddress: Local agent IP address
enterprise: Private enterprise number (1.3.6.1.4.1.xxx)
varbindoids: Varbind OID prefix
varbinddelimeter: Delimeter to use in varbind token

Output Tokens:

RIPE Mode:
generictrap: Generic trap number
specifictrap: Specific trap number
varbinds: Varbinds delimeted by varbinddelimeter.

RAW Mode:
rawtrap: Base64 encoded raw trap data. enhancetrap: Additional (string) data to add to the varbinds. This is used to enhance the raw trap with additional information.


socket_out : TCP/IP socket writer

Sends Token / Value information to a remote socket reader.

Configuration Tokens:

host: Hostname to connect to.
port: Port number.
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

Any token / value pairs are forwarded.


email_out : E-Mail Gateway

Sends e-mail to the specified user based on token information.

Configuration Tokens:

mailpath: Path to mailer (/bin/mail)
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

mailto: Address of recipient. mailsubject: Subject Text. mailbody: Rest of e-mail.


syslog_out : Syslog writer.

Sends log events to the local syslog daemon.

Configuration Tokens:

ident: Identifying string in log file (looper).
facility: Syslog facility (local7).
logopt: Comma separated log options. Defaults to "pid, cons".
sockettype: Socket type (unix). debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

priority: Syslog priority. text: Log Text.


mysql_out : MySQL Database writer.

Updates mysql database with log events. The database maintains realtime status information of the network (similar to looperdb, netcool etc.). The required schema is in conf/mysql/create_db.sql. The mechanism used to insert / update / correlate / prevent duplicate events in the database is similar to what is used by looperdb and Netcool.

Configuration Tokens:

host: Hostname or IP address of MySQL host.
port: MySQL listen port address (3306).
database: Database name (netmanager).
statetable: Table name (events_state).
username: User Name (nmuser).
password: Password (nmuser).
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

Include all fields required for insertion / update in the hash. See schema for more details.

__update__: Comma separated list of fields for which updates are forced.


logfile_out : Log file writer.

Updates a logfile with event information. Useful debugging aid.

Configuration Tokens:

filename: Path to file.
append: Set to 1 to append to the file (as opposed to overwriting existing file.)
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

Any token/value pairs are written directly to the file.


looperdb_out : LooperDB writer.

Sends events to LooperDB.

Configuration Tokens:

host: IP address or hostname of LooperDB server.
port: Port on which stunnel is listening and forwarding events to LooperDB.
user: Username (system).
password: Password (buggeroff).
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

Any token/value pairs are sent as field value pairs to LooperDB.

Go to the Looper Event / Alert System home page: looper.sf.net.