Looper - Alert Routing System.
Module Reference
Netcool Notes: Make sure the interfaces file is copied to the FreeTDS home directory. If your looper installation directory was /opt/looper then the freetds dir is /opt/looper/freetds. Also note that, since version 0.5, the netcool modules don't need username and password. They use the Netcool probe login accounts. This way, ProbeWatch messages are enabled. Use the username and password only if the objectserver is running in secure mode.
Debugging Notes: The 'debuglevel' token in all these modules are used to set the level of debugging output generated by the modules. These are the values available:
0 - System Events (Only important system events are logged here)
So if you set the 'debuglevel' to 4, you get all levels logged; if set to 3, only 3 and below are logged. Get it?
Input Modules
snmpd_in : SNMP trap receiver
Listens for SNMPv1 (or v2) traps and returns trap information and a raw trap packet (which can be forwarded as-is to the SNMP output module). Also parses MIB files (since v0.8).
Configuration Tokens:
debugmode: Debug Level
Additional Configuration Tokens for MIB parsing (0.8 and higher):
Generated Tokens:
community: Trap community string
Monitors a syslog file or pipe for events and generates tokens out of them. Note that this module reads the file right from the top.
Configuration Tokens:
logifile: Path to file that syslogd writes to. syslog_in reads and parses this file.
Generated Tokens:
date: Date and time of syslog event
Continuously polls netcool for new events. Can be used to feed to file or database.
Configuration Tokens:
server: Server Name (NCOMS)
Generated Tokens:
This module populates the %inputTokens hash with field/value pairs from the database.
Configuration Tokens:
logifile: Path to file that Apache writes to. apacheerrorlog_in reads and parses this file.
Generated Tokens:
date: Date and time of error event
A concurrent forking socket server that listens for Token / Value information on the specified port and feeds it into Looper.
Configuration Tokens:
port: Listen port
allow: Comma separated regexes of allowed IP addresses. Set to '*' for any. Eg. '127.0.0.1, 192.168.1.2'
Generated Tokens:
_host: Hostname:Port of received event
Monitors a file for new log entries and sends the line to Looper based on a regex match.
Configuration Tokens:
logfile: File name
Generated Tokens:
line: The entire matched line.
Monitors a Snort IDS CSV file or pipe. Make sure the the line "output alert_CSV: /path/to/file default" is set in your snort rules file.
Configuration Tokens:
logfile: File name
Generated Tokens:
src, srcport, dst, dstport, id, msg etc. etc. See snort manual section "CSV output" for a list and description of the tokens.
snmptrap_out : SNMP Writer / Forwarder / Exploder
Used to generate SNMP traps. Traps can be user-defined, or forwarded in the raw using the 'rawtrap' token.
Configuration Tokens:
managementstation: Station to send traps to.
RIPE mode configuration tokens:
agentaddress: Local agent IP address
Output Tokens:
RIPE Mode:
socket_out : TCP/IP socket writer
Sends Token / Value information to a remote socket reader.
Configuration Tokens:
host: Hostname to connect to.
Output Tokens:
Any token / value pairs are forwarded.
email_out : E-Mail Gateway
Sends e-mail to the specified user based on token information.
Configuration Tokens:
mailpath: Path to mailer (/bin/mail)
Output Tokens:
mailto: Address of recipient.
mailsubject: Subject Text.
mailbody: Rest of e-mail.
Sends log events to the local syslog daemon.
Configuration Tokens:
ident: Identifying string in log file (looper).
Output Tokens:
priority: Syslog priority.
text: Log Text.
Updates mysql database with log events. The database maintains realtime status information of the network (similar to looperdb, netcool etc.). The required schema is in conf/mysql/create_db.sql. The mechanism used to insert / update / correlate / prevent duplicate events in the database is similar to what is used by looperdb and Netcool.
Configuration Tokens:
host: Hostname or IP address of MySQL host.
Output Tokens:
Include all fields required for insertion / update in the hash. See schema for more details.
__update__: Comma separated list of fields for which updates are forced.
Updates a logfile with event information. Useful debugging aid.
Configuration Tokens:
filename: Path to file.
Output Tokens:
Any token/value pairs are written directly to the file.
Sends events to LooperDB.
Configuration Tokens:
host: IP address or hostname of LooperDB server.
Output Tokens:
Any token/value pairs are sent as field value pairs to LooperDB.
Go to the Looper Event / Alert System home page: looper.sf.net.
Mohit Muthanna [mohit AT muthanna DOT com]
1 - Errors
2 - Warnings
3 - Informational
4 - Debug
debugmessages: Path to file to log debug messages
parsemibs: Set to '1' to enable MIB parsing.
mibpath: Colon separated list of directories to check for MIB files.
mibrepository: Directory to store pre-compiled MIBS (speeds up execution time on repeated runs).
enabledmibs: Comma separated names of MIBs to enable. Dependencies are automatically resolved. Eg. 'SNMPv2-SMI, RFC-1215, BRIDGE-MIB'.
enterprise: Enterprise OID
agentaddr: Source IP address
generic-trap: Generic trap number
specific-trap: Specific trap number
uptime: Uptime
rawtrap: Base64 encoded raw trap data, useful for trap forwarding. (v0.6 and higher)
enterprisename: Resolved MIB Enterprise name. (If 'parsemibs' is enabled)
trapname: Resolved name of trap. (If 'parsemibs' is enabled)
trapdesc: Trap description. (If 'parsemibs' is enabled)
Varbinds are tokenized as so. The OID numbers are in tokens varbindOID0, varbindOID1, varbindOID2 etc. And values are in varbind0, varbind1, varbind2, varbind3 etc. Also (as of version 0.6) varbindTag1, varbindTag2 etc. contains the numeric ASN tag header values. If 'parsemibs' is enabled, then varbindResolved0..x returns the resolved OID names as well.
syslog_in : Syslog Reader
sleeptime: Seconds to sleep before checking for updates.
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file.
debugmode: Debug Level
debugmessages: Path to file to log debug messages
node: Hostname where event came from
desc: Description of event
netcool_in : Netcool Alert Reader
username: Login username (only set if using secure mode)
password: Login password (only set if using secure mode)
sybasehome: Path to FreeTDS home dir. Usually /opt/looper/freetds.
sleeptime: Seconds to sleep before checking for updates.
filter: Netcool gateway style filter (eg., Type = 1 AND Node = 'prometheus')
debugmode: Debug Level
debugmessages: Path to file to log debug messages
apacheerrorlog_in : Apache Error Log Reader
Monitors the Apache HTTP error_log file for events and returns tokens related to the event.
sleeptime: Seconds to sleep before checking for updates.
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file.
debugmode: Debug Level
debugmessages: Path to file to log debug messages
level: Error level
desc: Description of error
client: Client IP address (if available)
socket_in : Forking Socket Reader
lockfile: Lock file to use for concurrent event feeds; if unset defaults to '/tmp/socket_in.lock'
debugmode: Debug Level
debugmessages: Path to file to log debug messages
This is followed token value pairs depending on what is received by the socket server.
logfile_in : File / Pipe reader.
pipe: set to '1' if reading from a named pipe.
reopen_pipe: set to '1' if pipe should be reopened after a process disconnects from it.
sleeptime: Block time for reads
regexp: Regular expression which is applied every time an entry is received; only matching lines are fed to Looper.
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file.
debugmode: Debug Level
debugmessages: Path to file to log debug messages
snort_in : Snort IDS CSV log reader
pipe: set to '1' if reading from a named pipe.
reopen_pipe: set to '1' if pipe should be reopened after a process disconnects from it.
sleeptime: Block time for reads
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file.
regexp: Regular expression which is applied every time an entry is received; only matching lines are fed to Looper.
debugmode: Debug Level
debugmessages: Path to file to log debug messages
Output Modules
port: UDP port number (162)
community: Community name
debugmode: Debug Level
debugmessages: Path to file to log debug messages
rawmode: Set to '1' to ignore all tokens and process in "RAW" mode. Useful for trap forwarding. Ripe mode tokens are ignored. See the sample trapfwd conf and rules files for examples.(v0.6 and higher)
enterprise: Private enterprise number (1.3.6.1.4.1.xxx)
varbindoids: Varbind OID prefix
varbinddelimeter: Delimeter to use in varbind token
generictrap: Generic trap number
specifictrap: Specific trap number
varbinds: Varbinds delimeted by varbinddelimeter.
RAW Mode:
rawtrap: Base64 encoded raw trap data.
enhancetrap: Additional (string) data to add to the varbinds. This is used to enhance the raw trap with additional information.
port: Port number.
debugmode: Debug Level
debugmessages: Path to file to log debug messages
debugmode: Debug Level
debugmessages: Path to file to log debug messages
syslog_out : Syslog writer.
facility: Syslog facility (local7).
logopt: Comma separated log options. Defaults to "pid, cons".
sockettype: Socket type (unix).
debugmode: Debug Level
debugmessages: Path to file to log debug messages
mysql_out : MySQL Database writer.
port: MySQL listen port address (3306).
database: Database name (netmanager).
statetable: Table name (events_state).
username: User Name (nmuser).
password: Password (nmuser).
debugmode: Debug Level
debugmessages: Path to file to log debug messages
logfile_out : Log file writer.
append: Set to 1 to append to the file (as opposed to overwriting existing file.)
debugmode: Debug Level
debugmessages: Path to file to log debug messages
looperdb_out : LooperDB writer.
port: Port on which stunnel is listening and forwarding events to LooperDB.
user: Username (system).
password: Password (buggeroff).
debugmode: Debug Level
debugmessages: Path to file to log debug messages