# # FHCRC InfoTech loghost swatch config file # # Don't use commas or apostrophe's in exec strings # ######################################################################## # Look for PIX fail-over ######################################################################## watchfor=/%PIX-1-105002: \(PIX\) Enabling failover/ exec=/opt/local/script/page_em everyone Duty: $4 has become the active SCCA firewall. --swatch mail=network-people ignore=/PIX/ ######################################################################## # Ignore lots of stuff, to improve performance ######################################################################## # The upfront "ignore" lines are purely for performance optimization, # to reduce the amount of stuff which actually gets searched for # meaning # Ignore these boxes entirely ignore=/bedrock|demeter|fred|ice-a-fw|ice-b-fw/ # Skip the popular entries # Daemons ignore=/atalkd|afpd|dhcpd|imapd|ipop3d|lpstat|nagios:|named|nisd|nmbd|nodewatch:|ntpd|pmx-milter|qpage|radiusd|rhnsd|rpc.mountd:|rsyncd|saslauthd|smbd|sendmail|sshd|syslogd:|tftpd|xinetd/ ignore=/CROND|MARK/ # INND stuff ignore=/ctlinnd|expire|innd:|innxmit|nnrpd|rnews:/ # Processes ignore=/anacron|apager:|automount|bogofilter|bulkmail:|netops|printer:|procmail|rnews:|smbfs|smb_|stunnel|su:/ ignore=/CRON|HORDE|IAS|SNMP|LicenseService:|Security:SceCli:/ # Popular messages ignore=/last message|pam_unix/ # Packet infrastructure stuff ignore=/cf-vpn-private|cping|fping|ga-vpn-internal/ ignore=/Authentication Failure Trap|Forwarding engine IP length error counter|Interface Dot11Radio0/ ignore=/ASCEND|AT-6-NODEWRONG|AUXVLANPORT|CALLRECORD|DISCONNECT|INTCLEARED|IPACCESSLOGP|NTP|SNMP-3-AUTHFAIL|UPDOWN/ # BOOTP/dhcpd error messages ignore=/BOOTREQUEST from/ ignore=/No applicable record for BOOTP host/ # Normal dhcpd messages ignore=/DHCPREQUEST|DHCPACK|DHCPOFFER|DHCPDISCOVER|DHCPRELEASE/ # BIND error messages ignore=/dangling CNAME pointer|Lame server on/ ignore=/bad referral|No possible A RRs|Response from unexpected source/ ignore=/NS points to CNAME|unapproved update from/ ignore=/dumping nameserver stats|NSTATS|XSTATS|A RR negative cache entry/ # Normal NIS+ messages ignore=/read only child|readonly child|replica_update/ ignore=/timestamp is earlier than the one previously/ ignore=/invalid timestamp received from unix/ ignore=/is unable to encrypt session key|keyserv_client: can't stat/ ignore=/starting to reap child process|child process ended/ ignore=/is unable to generate session key/ # Applications #################################################### # # BIND issues watchfor=/CNAME and OTHER data error/ mail=server-people throttle=60:00,use=regex watchfor=/db_load could not open/ mail=server-people throttle=60:00,use=regex ignore=/named/ # DHCP issues watchfor=/no free leases/ # exec=/opt/local/script/page_em everyone Duty: A DHCP pool on $4 has exhausted its leases. --swatch mail=server-people throttle=480:00,use=regex ignore=/dhcpd/ # IP space ######################################################## # # Duplicate IP addresses reported by switches and routers watchfor=/Duplicate address/ exec=/opt/local/script/page_em everyone Duty: Duplicate IP address. Someone has assigned $14 to another device. --swatch throttle=480:00,use=regex ignore=/Duplicate address/ watchfor=/Traffic from permanent host .* but seen on incorrect port/ exec=/opt/local/script/page_em everyone Duty: Duplicate IP address. Someone has assigned $4 IP address to another device. --swatch throttle=245:00,use=regex ignore=/Traffic from permanent host .* but seen on incorrect port/ # Packet Infrastructure issues ###################################### # # Supervisor card is failing watchfor=/timeout occurred/ exec=/opt/local/script/page_em vdata Duty: The Supervisor card in $4 is failing. --swatch mail=network-people throttle=480:00,use=regex ignore=/timeout occurred/ # Switch power supply failed watchfor=/Insufficient power supplies operating/ exec=/opt/local/script/page_em everyone Duty: A power supply in $4 has failed and $4 is no longer servicing its linecards. --swatch mail=network-people throttle=480:00,use=regex # Packet loss on T3 watchfor=/cping: \-.*border16s/ exec=/opt/local/script/page_em everyone Duty: The Internet T3 is experiencing packet loss. --swatch mail=network-people throttle=60:00,use=regex ignore=/cping:/ # Duplex mismatch watchfor=/CDP-4-DUPLEX_MISMATCH/ mail=network-people throttle=480:00,use=regex ignore/CDP-4-DUPLEX_MISMATCH/ # UPS ############################################ # ### Overload watchfor=/(PowerNet-MIB::upsOverload)/ exec=/opt/local/script/page_em everyone Duty: $6 is overloaded. --swatch throttle=60:00,use=regex watchfor=/(PowerNet-MIB::upsOverloadCleared)/ exec=/opt/local/script/page_em everyone Duty: $6 is no longer overloaded. --swatch throttle=60:00,use=regex ### Voltage watchfor=/(PowerNet-MIB::badVoltage)/ exec=/opt/local/script/page_em everyone Duty: $6 is not delivering correct voltage. --swatch throttle=60:00,use=regex watchfor=/(PowerNet-MIB::badVoltageCleared)/ exec=/opt/local/script/page_em everyone Duty: $6 has resumed delivering correct voltage. --swatch throttle=60:00,use=regex ### Hardware fault watchfor=/(PowerNet-MIB::hardwareFailureBypass)/ exec=/opt/local/script/page_em everyone Duty: $6 has suffered a hardware failure and has switched to bypass. --swatch throttle=60:00,use=regex watchfor=/(PowerNet-MIB::lowBattery)/ exec=/opt/local/script/page_em everyone Duty: $6 batteries are low and will soon be exhausted . --swatch throttle=60:00,use=regex watchfor=/(PowerNet-MIB::returnFromLowBattery)/ exec=/opt/local/script/page_em everyone Duty: $6 has returned from a low battery condition. --swatch throttle=60:00,use=regex # Keybox monitoring ##################################### # watchfor=/contactFaultResolved/ exec=/usr/bin/mailx -s \"J4 Key Box Closed\" network-people ignore=/contactFaultResolved/ watchfor=/contactFault/ exec=/usr/bin/mailx -s \"J4 Key Box Open\" network-people ignore=/contactFault/ ignore=/UPS:/ # Unix OS Stuff ###################################################### # # File system full watchfor=/file system full/ exec=/opt/local/script/page_em everyone Duty: Disk space exhausted on $4. --swatch mail=server-people throttle=480:00,use=regex # lluf01 /ftp partition space ######################################## # Contact Randy Rue (x3662) with any questions watchfor=/ftpspace: \/ftp partition/ exec=/opt/local/script/page_em sops SOPS: The /ftp partition on lluf01 is $8 \% full. --swatch mail=server-people throttle=480:00,use=regex # lluf01 root partition space ######################################## # Contact Randy Rue (x3662) with any questions watchfor=/rootspace: root partition/ exec=/opt/local/script/page_em everyone DUTY: The root partition on lluf01 is $8 \% full. --swatch mail=server-people throttle=480:00,use=regex # System crashes watchfor=/unix:.*panic/ exec=/opt/local/script/page_em everyone Duty: $4 panicked and is now rebooting. --swatch mail=server-people throttle=480:00,use=regex # File system errors watchfor=/Media Error/ exec=/opt/local/script/page_em everyone Duty: Disk problems on $4. --swatch mail=server-people throttle=480:00,use=regex # Hardware errors ################################################## # # Memory errors watchfor=/dma error|DMA error/ exec=/opt/local/script/page_em everyone Duty: RAM problems on $4. --swatch mail=server-people throttle=480:00,use=regex # SCSI Bus errors watchfor=/SCSI transport failed/ exec=/opt/local/script/page_em everyone Duty: SCSI bus problems on $4. --swatch mail=server-people throttle=480:00,use=regex # Unix Security issues ################################################## # # Stack smashing attempt watchfor=/attempt to execute code on stack/ exec=/opt/local/script/page_em everyone Duty: Hackers are attacking $4: attempt to execute code on stack. --swatch mail=server-people throttle=60:00,use=regex