Administration Guides

Eyeglass Alarm forwarding Guide - SNMP Trap and Syslog

Home


Overview:

This add on solution allows the Syslog messages on the Eyeglass appliance to be forwarded over SNMP.  The Eyeglass Syslog contains PowerScale cluster alarms/events, and DR status alarms from Eyeglass.


The normal Syslog forwarding feature available in the Eyeglass UI allows configuration of forwarding of Syslog messages.   This procedures allows additional SNMP forwarding over the supplied MIB to a management platform.


Limitations

  1. Syslog and SNMP are limited in what information can be sent to these protocols.   Email alerts will contain more information not available over Syslog and SNMP due to protocol limits.
  2. The intent of SNMP or Syslog forwarding is to make basic alarm type and severity, and detailed alarm data available in the GUI or via email that supports more text and attachments.  This alarm solution provides notification of an alarm, the application that generated it, and the severity.



Supported Alarms

  1. Eyeglass alarms
  2. PowerScale alarms are collected

Requirements:

  1. Eyeglass OVF version 2.6.x or greater.   Upgrade to the latest OVF if required with the guide here.
  2. Place the SUPERNA-EYEGLASS-MIB file onto your SNMP trap management station.  It will be located here on the appliance /opt/pygls/lib/python3.6/site-packages/pygls/mibs

Configuration of SYSLOG Forwarding


  1. Ssh to the appliance as admin user
  2. Sudo -s
  3. Enter admin password
  4. vim /etc/syslog-ng/conf.d/superna.conf
  5. paste this text into the file and change the text as follows: (press the letter i to insert text, when done type : then type wq + enter key) 
    1. replace x.x.x.x with the ip address of the syslog server ip address you want to forward messages

filter f_superna {

    message("Severity:CRITICAL") or message("Severity:WARNING") ;

};

destination logserver { udp("x.x.x.x" port(514)); };


log {

    source(src);

    source(chroots);

    filter(f_superna);

    destination(logserver);

};

  1. After making changes syslog must be restarted to have the changes take effect
    1. systemctl restart syslog-ng
  2. Check that its running
    1. systemctl status syslog-ng
  3. It should show active running state
  4. done

How to forward by alarm Severity

To combine multiple Alarm severities or combine message strings see example below:

.

filter f_superna_snmp {

    message("Severity:CRITICAL") or message("Severity:MAJOR") ;

};




How to Syslog forward Eyeglass application specific alarms (Ransomware Defender, Easy Auditor and DR)

  1. For DR alarms filter on "Disaster Recovery"

filter f_superna {

    message("Disaster Recovery") ;

};

destination logserver { udp("x.x.x.x" port(514)); };


log {

    source(src);

    source(chroots);

    filter(f_superna);

    destination(logserver);

};

  1. For Ransomware alarms "Ransomware Defender"

filter f_superna {

    message("Ransomware Defender") ;

};

destination logserver { udp("x.x.x.x" port(514)); };


log {

    source(src);

    source(chroots);

    filter(f_superna);

    destination(logserver);

};

  1. For Easy Auditor alarms "Easy Auditor" 

filter f_superna {

    message("Easy Auditor") ;

};

destination logserver { udp("x.x.x.x" port(514)); };


log {

    source(src);

    source(chroots);

    filter(f_superna);

    destination(logserver);

};



Syslog format examples to be used for Parsing with a Syslog server

How to search the Eyeglass appliance logs for examples of syslog alarm formating

  1. Login to eyeglass vm over ssh as admin
  2. sudo -s (enter admin password to become root)
  3. Search for Criticial alarm examples
    1. grep -i 'severity:CRITICAL' /var/log/messages
  4. Search for Major alarm examples​
    1. grep -i 'severity:MAJOR' /var/log/messages
  5. Search for Info alarm examples
    1. grep -i 'severity:INFO' /var/log/messages

Example of INFO Severity 

Sep 17 21:25:28 demo2 bash[31233]: 2020-09-17T21:25:28,675 [Thread-48] INFO SYSLOG AlarmHandlerTask:run [162] - Eyeglass, , Event: 2020-09-17 21:25:28.674, AID:\ifs\data\dfsdata\dlp\, Port:Nil, Type:null, EntityType:, Extra Data:{"reason":"There is no smart quota for /ifs/data/dfsdata/dlp/ limited by a Data Loss Prevention threat detector. no limit is enforced."}, Description:There is no smart quota for a path limited by a Data Loss Prevention threat detector , NSA, Severity:MAJOR, Impact:false, Category:EAU0005

Example of MAJOR Severity

Sep 18 07:50:22 demo2 bash[31233]: 2020-09-18T07:50:22,174 [Thread-48] INFO SYSLOG AlarmHandlerTask:run [162] - Eyeglass, , Event: 2020-09-18 07:50:22.174, AID:\ifs\data\dfsdata\dlp\, Port:Nil, Type:null, EntityType:, Extra Data:{"reason":"There is no smart quota for /ifs/data/dfsdata/dlp/ limited by a Data Loss Prevention threat detector. no limit is enforced."}, Description:There is no smart quota for a path limited by a Data Loss Prevention threat detector , NSA, Severity:MAJOR, Impact:false, Category:EAU0005

Example of CRITICAL Severity

Sep 18 07:50:00 demo2 bash[31233]: 2020-09-18T07:50:00,024 [Thread-48] INFO SYSLOG AlarmHandlerTask:run [162] - Eyeglass, , Event: 2020-09-18 07:50:00.023, AID:demoeca_1, Port:Nil, Type:null, EntityType:, Extra Data:{"info":"/dev/sdb - 89%\n","service":"Disk Space Monitor","severity":"CRITICAL","source":"demoeca_1"}, Description:Eyeglass Clustered Agent unexpected error. , NSA, Severity:CRITICAL, Impact:false, Category:ECA000

Configuration of SNMP Forwarding


Setup Instructions

  1. $ exec bash -l  (to reload your Bash session to pick up new environment settings)
  2. $ sudo -E pygls-snmptrap --setup (to add the required entries to the syslog-ng configuration, and to configure the SNMP settings, you can re- run this command to change settings or edit this file /opt/superna/sca/conf/snmptraps.ini)
  3.  We need to specify the following

Server Address

IP Address of the SNMP Receiver

Port

Port number (Default 162)

SNMP Engine ID

SNMP Engine ID for SNMPv3

SNMP Version

Default 2c

Community String

Default public

Example:

Server Address: 172.22.22.29

Port: 162

SNMP Engine ID:

SNMP Version: 2c

Community String: public

4. To customize what is sent to SNMP trap destination follow instructions below for filtering based on alarm content

5.  The default configuration will forward all alarms to the SNMP destination.


How to send a test SNMP Trap

$ pygls-snmptrap --test (to test sending snmp message to snmp receiver - verify this test message is received on SNMP server)

SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = Superna Eyeglass Syslog-NG SNMP Notification Test Message

  1. NOTE: by default the log filter will send all messages as traps.  This will be a lot of traps messages.
  2. It is recommended to replace the default with a specific filter of alarm severity.  See next section below.

How to configure filtering of SNMP messages by Alarm Type

This explains how to select log message text to forward to SNMP. This can be used to send only INFO, Warning or Critical events.  This can also be used to send specific events example Ransomware events or DR events.  The default configuration will forward all alarms to the SNMP destination.

  1. Ssh to the appliance as admin user
  2. Sudo -s
  3. Enter admin password
  4. vim /etc/syslog-ng/conf.d/superna-snmp.conf
  5. Edit this section below and change the text as follows to add or delete message strings to the f_superna_snmp filter section.  See example of alarm severity forwarding below.  Adding additional strings allows application alarms to be forwarded. 

filter f_superna_snmp {

     message("Severity:CRITICAL") or message("Severity:WARNING") ;

};



destination superna_snmp {
program(
"/usr/local/bin/pygls-snmptrap"
flush_lines(1)
flags(no_multi_line)
template("$ISODATE $HOST EYEGLASS $MSGHDR$MSG\n")
);
};

log {
source(src);
source(chroots);
filter(f_superna_snmp);
destination(superna_snmp);
};
  1. Save and Exit the file (press the letter i to insert text, when done type : then type wq + enter key) 
  2. Disable SNMP Mark Heartbeat
    1. Modify syslog-ng config file
    2. vim /etc/syslog-ng/syslog-ng.conf
    3. Add mark-freq(0); inside options { } clause.
    4. Example string: options { chain_hostnames(off); flush_lines(0); perm(0640); stats_freq(3600); threaded(yes); mark-freq(0); }
    5. Save and Exit the file (press the letter i to insert text, when done type : then type wq + enter key)
  3. Now restart logging service
    1. systemctl restart syslog-ng
  4. To verify the file was edited correctly and make sure syslog-ng is running
    1. systemctl status -l syslog-ng
  5. done.



Example of SNMP Messages received from Eyeglass

SNMP Messages for Replication Jobs status

8/21/2017 3:55:26 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:26-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:26,634 [pool-97-thread-2] DEBUG MAIN ReplicationTask:lambda$run$982 [246] - ReplicationTask is done.        0        0        7619067        2

8/21/2017 3:55:21 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:21,753 [pool-96-thread-1] DEBUG MAIN ReplicationTask:lambda$run$980 [217] - Fetching post-configuration inventory.        0        0        7618578        2

8/21/2017 3:55:21 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:21,753 [pool-96-thread-1] DEBUG MAIN ReplicationTask:lambda$run$980 [214] - Unblocking deletes from the database        0        0        7618578        2

8/21/2017 3:55:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:20,985 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$979 [179] - Writing replication xml file.        0        0        7618502        2

8/21/2017 3:55:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:20,968 [pool-97-thread-2] DEBUG MAIN ReplicationTask:lambda$run$977 [124] - Writing fingerprints        0        0        7618499        2

8/21/2017 3:54:59 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,021 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$976 [109] - Fetching current inventory before running replication        0        0        7616408        2

8/21/2017 3:54:59 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,017 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$976 [104] - Clearing deleted items cache        0        0        7616408        2

8/21/2017 3:54:59 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,003 [cron4j-task-10] INFO MAIN ReplicationTask:run [90] - Starting ReplicationTask        0        0        7616404        2

SNMP Messages for Policy Readiness

8/21/2017 3:41:09 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:41:09-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:41:09,012 [pool-68-thread-1] DEBUG MAIN PolicyReadinessValidation:doPolicyValidation [194] - Policy readiness validation completed successfully        0        0        7533303        2

8/21/2017 3:41:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:41:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.policyreadiness.PolicyReadinessValidation.doPolicyValidation(PolicyReadinessValidation.java:138)        0        0        7532456        2

SNMP Messages for Zone Readiness

8/21/2017 3:45:17 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:17-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:17,296 [pool-75-thread-1] DEBUG MAIN ReadinessJobResultHandler:handleResult [64] - JOB rnsm04-c03_rnsm04-c04: Status: {"state":"FINISHED","jobStatus":"OK","started":1503301507126,"finished":1503301507532,"duration":406,"name":"AccessZoneValidation rnsm04-c03_rnsm04-c04","info":"Access Zone Validation","children":[],"modified":1503301507532}        0        0        7558132        2

8/21/2017 3:45:08 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:07,480 [pool-80-thread-1] DEBUG MAIN AccessZoneValidation:doAccessZoneValidation [213] - {        0        0        7557218        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.call(AccessZoneValidation.java:53)        0        0        7557171        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.call(AccessZoneValidation.java:70)        0        0        7557171        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.doAccessZoneValidation(AccessZoneValidation.java:315)        0        0        7557170        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.collectConfigReplication(AccessZoneValidation.java:1127)        0        0        7557170        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation$$Lambda$428/501745496.apply(Unknown Source)        0        0        7557167        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.lambda$collectConfigReplication$743(AccessZoneValidation.java:1127)        0        0        7557167        2

8/21/2017 3:45:07 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:07,226 [pool-28-thread-2] DEBUG MAIN AccessZoneValidation:doAccessZoneValidation [213] - {        0        0        7557154        2

SNMP Messages for ALARM

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,035 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: 'rnsm04-03', Severity: 'MAJOR', Description: 'ECA Service unreachable to scan for events'        0        0        7628414        2

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,034 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB        0        0        7628413        2

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,028 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.109', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state'        0        0        7628412        2

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,028 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB        0        0        7628411        2

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,025 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.108', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state'        0        0        7628411        2

8/21/2017 3:57:00 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,025 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB        0        0        7628411        2

8/21/2017 3:56:59 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,019 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.107', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state'        0        0        7628408        2

SNMP Message for Overall DR Status

8/21/2017 3:47:12 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:47:12-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:47:12,283 [pool-4-thread-33] DEBUG MAIN Policies:getAllPolicies [56] - [{"policy_name":"InsightIQ-NFSDS","policy_enabled":true,"policy_last_success":1497605568000,"policy_last_run":1497605568000,"policy_last_status":"finished","policy_status":"SUCCESS","overall_dr_status":"WARNING","job_status":"SUCCESS","job_name":"rnsm04-c03_InsightIQ-NFSDS","job_last_run":1503301518896,"job_last_success":1503301518896,"job_source":"rnsm04-c03","job_destination":"rnsm04-c04","job_enabled":true,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301524918},{"policy_name":"z01-smb01-synciq","policy_enabled":true,"policy_last_success":1498033910000,"policy_last_run":1498033910000,"policy_last_status":"finished","policy_status":"SUCCESS","overall_dr_status":"WARNING","job_status":"SUCCESS","job_name":"rnsm04-c03_z01-smb01-synciq","job_last_run":1503301518900,"job_last_success":1503301518900,"job_source":"rnsm04-c03","job_destination":"rnsm04-c04","job_enabled":true,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301524923},{"policy_name":"z01-smb01-synciq_mirror","policy_enabled":false,"policy_last_success":1498033810000,"policy_last_run":1498033905000,"policy_last_status":"finished","policy_status":"DISABLED","overall_dr_status":"FAILED_OVER","job_status":"DISABLED","job_name":"rnsm04-c04_z01-smb01-synciq_mirror","job_last_run":1498033840357,"job_last_success":1498033840357,"job_source":"rnsm04-c04","job_destination":"rnsm04-c03","job_enabled":false,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301528213}]        0        0        7569630        2

SNMP Message for Failover

8/21/2017 5:49:55 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,241 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - {        0        0        8305934        2

8/21/2017 5:49:55 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,238 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - **************************************************************************************************************        0        0        8305934        2

8/21/2017 5:49:55 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,238 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - {        0        0        8305907        2

8/21/2017 5:49:55 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,236 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - **************************************************************************************************************        0        0        8305907        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,236 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - {        0        0        8305880        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,234 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - **************************************************************************************************************        0        0        8305879        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 localhost EYEGLASS [INFO] SYSLOG:154 - Eyeglass, , Event: 2017-08-21 05:49:54.253, AID:rnsm04-c03_Policy Failover 2017-08-21_05-47-05, Port:Nil, Type:null, EntityType:, Extra Data:{"Status":"Success","Finished":1503308994249,"Started":1503308826347,"URL":"https://172.22.4.89/failover_logs/Policy_Failover__rnsm04-c03__2017-08-21_05-47-05__SUCCESS/Policy_Failover__rnsm04-c03__2017-08-21_05-47-05__SUCCESS.json"}, Description:Failover Succeeded , NSA, Severity:INFORMATIONAL, Impact:false, Category:SCA0040        0        0        8305846        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,234 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - {        0        0        8305837        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,229 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:appendReportsToLog [66] - **************************************************************************************************************        0        0        8305837        2

8/21/2017 5:49:54 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,228 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:appendReportsToLog [65] - SyncIQ Reports For Policy: z01-smb01-synciq        0        0        8305836        2

8/21/2017 5:49:38 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:38-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:38,740 [pool-298-thread-1] DEBUG MAIN QuotaJobFactory:runPrepJob [77] - Is controlled failover? true        0        0        8304276        2

8/21/2017 5:49:38 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:38-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:38,470 [pool-281-thread-1] DEBUG MAIN QuotaJobFactory:runPrepJob [77] - Is controlled failover? true        0        0        8304249        2

8/21/2017 5:47:28 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:28-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:28,151 [pool-273-thread-1] DEBUG MAIN RunConfigurationReplication:handleReplication [48] - Starting replication during failover.        0        0        8291218        2

8/21/2017 5:47:06 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:06-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:06,520 [pool-273-thread-1] DEBUG MAIN FailoverStep:call [132] - DONE Wait for other failover jobs to complete        0        0        8289054        2

8/21/2017 5:47:06 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:06-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:06,516 [pool-273-thread-1] DEBUG MAIN FailoverStep:call [118] - Starting Wait for other failover jobs to complete        0        0        8289053        2

8/21/2017 5:47:05 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:05-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:05,574 [pool-4-thread-120] INFO MAIN PolicyFailoverJobFactory:createJob [83] - in policy failover        0        0        8288959        2

SNMP Message for Ransomware Events

8/21/2017 6:36:25 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,923 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584996        2

8/21/2017 6:36:25 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,923 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent        0        0        8584995        2

8/21/2017 6:36:25 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,901 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584993        2

8/21/2017 6:36:25 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,901 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent        0        0        8584993        2

8/21/2017 6:36:21 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:21,151 [Thread-31] INFO SYSLOG AlarmHandlerTask:run [154] - Eyeglass, , Event: 2017-08-21 06:36:21.149, AID:RNSM04\rnsm04-t32, Port:Nil, Type:null, EntityType:, Extra Data:{"severity":"WARNING","user name":"RNSM04\\rnsm04-t32","files":["\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest3.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\ctest4.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest1.txt"],"explanation":"New ransomware event created","sid":"S-1-5-21-4205747320-2446522354-1604720750-11190"}, Description:Ransomware signal received. , NSA, Severity:CRITICAL, Impact:false, Category:SCA0061        0        0        8584517        2

8/21/2017 6:36:21 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:21-04:00 localhost EYEGLASS [INFO] SYSLOG:154 - Eyeglass, , Event: 2017-08-21 06:36:21.149, AID:RNSM04\rnsm04-t32, Port:Nil, Type:null, EntityType:, Extra Data:{"severity":"WARNING","user name":"RNSM04\\rnsm04-t32","files":["\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest3.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\ctest4.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest1.txt"],"explanation":"New ransomware event created","sid":"S-1-5-21-4205747320-2446522354-1604720750-11190"}, Description:Ransomware signal received. , NSA, Severity:CRITICAL, Impact:false, Category:SCA0061        0        0        8584517        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,301 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584437        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,300 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent        0        0        8584437        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,282 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584434        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,280 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent        0        0        8584434        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,265 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584429        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,264 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent        0        0        8584429        2

8/21/2017 6:36:20 AM        172.22.4.89                        SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,183 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190        0        0        8584421        2


Copyright Superna LLC