NodeBrain  Demonstration Site
A Rule Engine for State and Event Monitoring     

SixOrHalfDozen

Next  Prior  Up        Home        
In this example we have events of various types associated with users on various host systems. We are interested in events of type "that" when any given user has six events on the same host within eight hours, or any given host has half a dozen different users with "that" events. Here we use a two column Cache to retain all combinations of host and user for "that" events in eight hours. We set thresholds of "host[6]" to trigger when any given host has six diffent associated users. We set a threshold of "user(6)" to trigger when any combination of host and user occurs six times. When a Cache node counter reaches a threshold, it issues an alert to itself, with subordinate terms like host__kidState that identify the threshold reached. We defined the HostKidUsers and HostUserHits rules to detect these alerts. Under normal conditons we would specify a response action.
Tutorial: Cache Node     Language: Define Alert     Module: Cache

Rules

Transactions

Log

again after modifications.     Reset to orignal rules and transactions.

N o d e B r a i n   0.9.04 (Columbo) 2015-09-24
Spec 0.0.904 built for x86_64-redhat-linux-gnu
Copyright (C) 2014-2015 Ed Trettevik <eat@nodebrain.org>
MIT or NodeBrain License
----------------------------------------------------------------
/usr/bin/nb = ++safe 
Date       Time     Message
---------- -------- --------------------------------------------
2017-06-23 15:20:43 NB000I NodeBrain nb[24680] apache@ip-172-31-40-21.us-west-2.compute.internal
2017-06-23 15:20:43 NB000I Argument [1] =
2017-06-23 15:20:43 NB000I Reading from standard input.
---------- --------
Rules
| define ThatHostUser node cache:(~(8h):host[6],user(6));
| ThatHostUser. define HostKidUsers if(host__kidState);
| ThatHostUser. define HostUserHits if(user__hitState);
| define r1 if(type="that") ThatHostUser(host,user);
Transactions
| alert type="logon",host="abc",user="fred";
| alert type="that",host="abc",user="bill";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="that",host="abc",user="bill";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="other",host="abc",user="sally";
| alert type="that",host="abc",user="fred";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="this",host="abc",user="bill";
| alert type="this",host="abc",user="bill";
| alert type="that",host="xyz",user="bill";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="this",host="abc",user="fred";
| alert type="that",host="abc",user="bill";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="that",host="abc",user="bill";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="that",host="abc",user="sally";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="that",host="abc",user="joe";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="that",host="abc",user="sam";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="that",host="abc",user="mike"; # 6th that abc user
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
2017-06-23 15:20:43 NB000I Rule ThatHostUser.HostKidUsers fired 
| alert type="this",host="abc",user="fred";
| alert type="that",host="abc",user="fred";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="that",host="abc",user="bill";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="that",host="abc",user="mike";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="that",host="xyz",user="mike";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="that",host="xyz",user="mike";
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
| alert type="this",host="abc",user="fred";
| alert type="that",host="abc",user="bill"; # 6th that abc bill
2017-06-23 15:20:43 NB000I Rule r1 fired (ThatHostUser(host,user))
2017-06-23 15:20:43 NB000I Rule ThatHostUser.HostUserHits fired 
| show ThatHostUser;
ThatHostUser = # == node cache:(~(28800s):host[^0,6],user(^0,6))
  Specification: :(~(28800s):host[^0,6],user(^0,6))
  Options: Expire=0 Count=1
  Status:  Alert=1  Publish=1
  Elements:
    ???(16:1){8:1}[2:1],
      "abc"(13:1){6:1}[6:2],
        "joe"(1:1)
        "sam"(1:1)
        "mike"(2:1)
        "bill"(6:2)
        "fred"(2:1)
        "sally"(1:1)
      "xyz"(3:1){2:1}[2:1],
        "bill"(1:1)
        "mike"(2:1)
ThatHostUser.HostKidUsers = # ? == if(ThatHostUser.host__kidState);
ThatHostUser.HostUserHits = # "minor" == if(ThatHostUser.user__hitState);
ThatHostUser._action = "insert"
ThatHostUser._interval = "8 hours"
ThatHostUser.host = "abc"
ThatHostUser.host__kidState = ?
ThatHostUser.host__kids = 6
ThatHostUser.user = "bill"
ThatHostUser.user__hitState = "minor"
ThatHostUser.user__hits = 6
2017-06-23 15:20:43 NB000I NodeBrain nb[24680] terminating - exit code=0