Overview
We can trigger netyce jobs from syslog messages. The event manager(
SEC) can be used to match the syslog message pattern to trigger the suitable job..
The events on the device can be like config change, port/neighbor flap etc.
Below is an example where we are fixing the configuration of the device when the non-compliance of the device was detected.
There are three parts that are involved in the setup
syslog pattern matching in the event manager configuration(yce_events.conf)
An API call that triggers scenario/job based on the syslog message
A scenario/job that fixes non-compliance
1. Syslog pattern matching
Sample syslog message:
Below is a sample syslog message reporting non-compliancy for a node named abc_core2 for the policy '6.3.1 NTP - abc'
Oct 20 18:15:19 abc_core2 cpml [6.3.1 ntp - abc|minor] [warning]: [CMPL] Node abc_core2 is not compliant with policy '6.3.1 NTP - abc' - Severity: Minor - see abc.netyce.org/operate/cmpl_report.pl?Cmpl_node_id=15503&choice=policy_single for more details
Regex to match this syslog message
Regex to match this syslog message which extracts node name and the policy name (can be built using sites like
regex101.com)
[a-zA-Z]{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(.*) cpml \[(.*)\|(.*)is not compliant with policy
Updating yce_events.conf
(1) Admin -> (2) Setup -> Configuration files ->(3) YCE NCCM Syslog patterns configuration: edit
Paste below text above External worker script:
#
type=SingleWithSuppress
ptype=RegExp
name=Compliance_mitigate
pattern=[a-zA-Z]{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(.*) cpml \[(.*)\|(.*)is not compliant with policy
desc=Non compliance for $1
action=event Non_cmpl_for_$1_with_$2
window=600
#
Paste below text below Internal worker script:
#
type=SingleWithScript
ptype=RegExp
pattern=Non_cmpl_for_(.+)
script=/opt/yce/bin/cmpl_fix.pl $1
desc=$0
action=write - normal save OR save main node $1 matches
#
Click on Save config at the bottom of the page
After modifying the file, below command to execute in the CLI
go restart yce_events
2. API call that triggers scenario/job
Login username($operator) and password($password) for api call to in the cmpl_fix.pl to be updated.
Use any file editor to modify this content.
$operator at line no: 112
$password(encrypted password) at line no: 111
Encrypted password can be obtained under (1) Operate ->(2) APIs -> XCH test -> (3) type the password and click on Encrypt pass to generate the encrypted password
3. Scenario/job that fixes non-compliance
Scenario to create/Import.
(1) Operate -> (2) Scenarios -> (3) Import -> Select the file
Small briefing about the Fix_non_cmpl scenario
Parsing template
show_run_ntp is the parsing template that is used to fetch the current ntp configuration
(1) Build -> (2) Templates -> Templates edit -> (3) Client type(in this case CMDB) -> (4) Parsing templates -> (5) New -> (6) Template:show_run_ntp -> (7) Template type:command -> (8) Vendory type: Cisco IOS -> (9) Save
Under Revisions ->(1) New-> (2) Template text : ntp server <s> -> (3) Template status:production -> (4) Save
Config template (Sub template)
NTP_Server template is used that has the necessary configuration to make the node compliant.
(1) Build -> (2) Templates -> Templates edit -> (3) Client type(in this case CMDB) -> (4) Sub templates -> (5) New -> (6) Template:NTP_Server-> (7) Vendory type: Cisco IOS -> (8) Save
Under Revisions ->(1) New-> (2) Template text :
ntp server <Ntp_1> prefer
ntp server <Ntp_2>
ntp server <Ntp_3>
(3) Template status:production -> (4) Save
Testing
Enabling syslog option
Enable the syslog option for the policy under Signal type
Signal trigger:
Enable the required options.
A change in the policy would be picked up by the NCCM Daemon during the next cycle(default of 5mins, if its busy then it will be picked up in the next batch. So wait time might be around 15: to 20mins)
If we have to re-trigger the policy to be checked again during testing, modifying any contents of the policy would trigger(example is description). By default Compliance is not triggered unless there is a change in the config of the device or change in the policy of the configuration.
Viewing the logs
Relevant log files
Syslog-ng.log file shows about the syslog messages that are generated
Yce_events.log file shows if the event was triggered with the syslog pattern match and if the API call was initiated
Yce_nccmd.log shows us the status of nccm(backup and compliance) daemon. It runs every 5mins by default.
Viewing log files in GUI
(1) Admin -> (2) System -> (3) Debugging
Click follow for real-time viewing of the respective log
Viewing log files via CLI
go logs
tail -f <log file name> for real-time viewing of logs