Ticket #125 (assigned task)

Opened 4 years ago

Last modified 4 years ago

Develop sane EQL to detect failures.

Reported by: jesus Assigned to: jesus (accepted)
Priority: major Milestone: Subterfuge
Component: stratcond Severity: critical
Keywords: Cc:

Description

Develop sane EQL.

Change History

05/12/09 12:52:46 changed by jesus

  • status changed from new to assigned.

On first boot, events that roll in as bad or unavailable seem like issues: 

select * from NoitStatus.std:firstunique(uuid) having state!='G' or availability!='A'

(follow-up: ↓ 3 ) 05/12/09 12:54:32 changed by jesus

Detect any state/availability changes... this needs to be more intelligent, but this is point to start from. 

select * from pattern
[
  every
    s=NoitStatus ->
    n=NoitStatus(uuid=s.uuid and (state <> s.state or availability <> s.availability))
]

(in reply to: ↑ 2 ) 05/25/09 02:50:08 changed by jesus

  • severity set to critical.

Replying to jesus:

This leaks... we actually want: 

select * from pattern [
          every
            s=NoitStatus ->
            ( n=NoitStatus(uuid=s.uuid and (state <> s.state or availability <> s.availability))
              and not NoitStatus(uuid=s.uuid and not (state <> s.state or availability <> s.availability)))
        ]