Vernon,
My guess would be the "COLOR=red" token in the rule. When a recovery comes in the color isn't red, therefore no match.
Regards, Jim
----- Message from "Vernon Everett" <v.everett at afgonline.com.au> on Fri, 13 Jan 2006 18:55:30 +0800 ----- To: <hobbit at hswn.dk> Subject: Hobbit Alert config Hi all
Can anybody tell me if there is a specific order required for the entries in hobbit-alert.cfg? For instance, this line MAIL 55512345 at messagenet.com.au FORMAT=SMS REPEAT=180 DURATION>5 COLOR=red RECOVERED alerts me to the issue, but I don't get a recovered SMS.
I know Hobbit is configured correctly, because this line MAIL v.everett at afgonline.com.au RECOVERED REPEAT=480 mails me the recovered notice.
Cheers Vernon
Jim Horwath SANS Certified: GCUX, GCIH, GCIA, GHTQ, GREM Unix Admin JamesHorwath at glic.com (W) 610-807-8795 (C) 610-533-6972 (F) 610-807-6003
This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
On Fri, Jan 13, 2006 at 06:13:20AM -0500, James B Horwath wrote:
Vernon Everett wrote:
Can anybody tell me if there is a specific order required for the entries in hobbit-alert.cfg? For instance, this line MAIL 55512345 at messagenet.com.au FORMAT=SMS REPEAT=180 DURATION>5 COLOR=red RECOVERED alerts me to the issue, but I don't get a recovered SMS.
I know Hobbit is configured correctly, because this line MAIL v.everett at afgonline.com.au RECOVERED REPEAT=480 mails me the recovered notice.
My guess would be the "COLOR=red" token in the rule. When a recovery comes in the color isn't red, therefore no match.
That shouldn't cause it to drop the recovery message - when you have a RECOVERED setting on an alert rule, the recovery message goes out to all the people who were alerted originally.
At least, that's how it *should* work.
Now, the question for Vernon is: Did the "55512345 at messagenet.com.au" recipient in your original report get the alert message ? There's a DURATION>5 there, so if it was a short-lived problem he may not have gotten the alert - and then there's no recovery message either.
Regards, Henrik
participants (2)
-
henrik@hswn.dk
-
JamesHorwath@glic.com