Eyeglass Alarm Forwarding Guide SNMP and Syslog

Eyeglass Alarm forwarding Guide  SNMP Trap Forwarding , Syslog



Overview: 1

Installation and Configuration  Syslog and SNMP Forwarding 2

Log View  provides access to Local as well as Remote Logging Services 4

How to configure filtering of SNMP messages by Alarm Type 4

How to configure filtering of SNMP and SYSLOG forwarding 6

Example of SNMP Messages received from Eyeglass 7

SNMP Messages for Replication Jobs status 7

SNMP Messages for Policy Readiness 9

SNMP Messages for Zone Readiness 9

SNMP Messages for ALARM 10

SNMP Message for Overall DR Status 12

SNMP Message for Failover 12

SNMP Message for Ransomware Events 15


Overview:


This add on solution allows the syslog messages on the Eyeglass appliance to be forwarded over SNMP.  The eyeglass syslog contains Isilon cluster alarms/events, and DR status alarms from Eyeglass.


The normal syslog forwarding feature available in the Eyeglass UI allows configuration of forwarding of syslog messages.   This procedures allows additional SNMP forwarding over the supplied MIB to a management platform.


Supported Alarms

  1. Eyeglass alarms

  2. Isilon alarms are collected


Installation and Configuration  Syslog and SNMP Forwarding

Requirements:

  1. OVF 2.5.x or greater Upgrade to latest OVF if required with guide here.

  2. Place the SUPERNA-EYEGLASS-MIB file onto your SNMP trap management station.  It will be located here on the appliance /opt/pygls/lib/python3.6/site-packages/pygls/mibs



Setup Instructions



$ exec bash -l  (to reload your Bash session to pick up new environment settings)

$ sudo -E pygls-snmptrap --setup (to add the required entries to the syslog-ng configuration, and to configure the SNMP settings, you can re- run this command to change settings or edit this file /opt/superna/sca/conf/snmptraps.ini)


           We need to specify the following



Server Address

IP Address of the SNMP Receiver

Port

Port number (Default 162)

SNMP Engine ID

SNMP Engine ID for SNMPv3

SNMP Version

Default 2c

Community String

Default public





Example:

Server Address: 172.22.22.29

Port: 162

SNMP Engine ID:

SNMP Version: 2c


Community String: public


  1. NOTE: due issue in install a double include file is added that must be removed.

    1. sudo -s

      1. Enter admin password

    2. Edit config file

      1. vim /etc/syslog-ng/syslog-ng.conf

      2. Goto the end of the document

      3. Find this “include "/etc/syslog-ng/conf.d/*.conf"

      4. Delete this line and save the file

      5. :Wq (to save the file)

    3. Now restart syslog

      1. Systemctl restart syslog-ng

    4. Check the service started

      1. Systemctl status syslog-ng

      2. It should show active

    5. end


$ pygls-snmptrap --test (to test sending snmp message to snmp receiver - verify this test message is received on SNMP server)


SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = Superna Eyeglass Syslog-NG SNMP Notification Test Message



  1. NOTE: by default the log filter will send all messages as traps.  This will be a lot of traps messages.

  2. It is recommended to replace the default with a specific filter of alarm severity.  See next section below.


Log View  provides access to Local as well as Remote Logging Services

Configuring syslog forwarding in Eyeglass GUI can be set.For advanced filtering see sections in this guide  



Eyeglass How to setup Local and Remote Logging-Published 0.png

Figure 1  Logging Architecture



How to configure filtering of SNMP messages by Alarm Type


This explains how to select log message text to forward to SNMP. This can be used to send only INFO, Warning or Critical events.  This can also be used to send specific events example Ransomware events or DR events.


  1. Ssh to the appliance as admin user

  2. Sudo -s

  3. Enter admin password

  4. nano /etc/syslog-ng/conf.d/superna-snmp.conf

  5. Edit this section below and change the text as follows:


Default Filter  

filter f_superna_snmp {

   netmask("127.0.0.1/32");

};


Replace default filter section with an example below

filter f_superna_snmp {

   message("Severity:CRITICAL");

};


OR


filter f_superna_snmp {

   message("Severity:MAJOR");

};


OR


filter f_superna_snmp {

   message("Severity:WARNING");

};


OR


filter f_superna_snmp {

   message("Severity:MINOR");

};



OR


filter f_superna_snmp {

   message("Severity:INFO");

};

  1. Save and Exit the file with CTRL+X

  2. Answer Yes

  3. Now restart logging service

  4. systemctl restart syslog-ng

  5. To verify the file was edited correctly and make sure syslog-ng is running

  6. systemctl status -l syslog-ng

  7. done.



To combine multiple Alarm severities or combine message strings see example below.


filter f_superna_snmp {

   message("Severity:CRITICAL") or message("Severity:MAJOR") ;

};


How to configure filtering of SNMP and SYSLOG forwarding



These instructions are for release 1.9.3 or later only


  1. Ssh to the appliance as admin user

  2. sudo -s

  3. Enter admin password

  4. vim /etc/syslog-ng/conf.d/superna-snmp.conf

  5. Edit this section below and change the text as follows.     

    1. Enter destination of your syslog server yellow highlight

    2. SNMP messages will be sent to the server configured with:

      1. sudo -E pygls-snmptrap setup

      2. Or vim  /opt/superna/sca/conf/snmptraps.ini  (make changes here)

    3. This filter will send Critical and Warning alarms to Syslog and SNMP trap destination.  Edit the file to use template below


filter f_superna {

   message("Severity:CRITICAL") or message("Severity:WARNING") ;

};


destination logserver { udp("x.x.x.x" port(514)); };


destination superna_snmp {

   program(

       "/usr/local/bin/pygls-snmptrap"

       flush_lines(1)

       flags(no_multi_line)

       template("$ISODATE $HOST EYEGLASS $MSGHDR$MSG\n")

   );

};


log {

   source(src);

   source(chroots);

   filter(f_superna);

   destination(superna_snmp);

};


log {

   source(src);

   source(chroots);

   filter(f_superna);

   destination(logserver);

};


  1. After making changes syslog must be restarted to have changes take effect

    1. systemctl restart syslog-ng

    2. Check that its running

    3. systemctl status syslog-ng

Example of SNMP Messages received from Eyeglass


SNMP Messages for Replication Jobs status

8/21/2017 3:55:26 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:26-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:26,634 [pool-97-thread-2] DEBUG MAIN ReplicationTask:lambda$run$982 [246] - ReplicationTask is done. 0 0 7619067 2

8/21/2017 3:55:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:21,753 [pool-96-thread-1] DEBUG MAIN ReplicationTask:lambda$run$980 [217] - Fetching post-configuration inventory. 0 0 7618578 2

8/21/2017 3:55:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:21,753 [pool-96-thread-1] DEBUG MAIN ReplicationTask:lambda$run$980 [214] - Unblocking deletes from the database 0 0 7618578 2

8/21/2017 3:55:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:20,985 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$979 [179] - Writing replication xml file. 0 0 7618502 2

8/21/2017 3:55:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:20,968 [pool-97-thread-2] DEBUG MAIN ReplicationTask:lambda$run$977 [124] - Writing fingerprints 0 0 7618499 2

8/21/2017 3:54:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,021 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$976 [109] - Fetching current inventory before running replication 0 0 7616408 2

8/21/2017 3:54:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,017 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$976 [104] - Clearing deleted items cache 0 0 7616408 2

8/21/2017 3:54:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,003 [cron4j-task-10] INFO MAIN ReplicationTask:run [90] - Starting ReplicationTask 0 0 7616404 2




SNMP Messages for Policy Readiness

8/21/2017 3:41:09 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:41:09-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:41:09,012 [pool-68-thread-1] DEBUG MAIN PolicyReadinessValidation:doPolicyValidation [194] - Policy readiness validation completed successfully 0 0 7533303 2

8/21/2017 3:41:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:41:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.policyreadiness.PolicyReadinessValidation.doPolicyValidation(PolicyReadinessValidation.java:138) 0 0 7532456 2





SNMP Messages for Zone Readiness

8/21/2017 3:45:17 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:17-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:17,296 [pool-75-thread-1] DEBUG MAIN ReadinessJobResultHandler:handleResult [64] - JOB rnsm04-c03_rnsm04-c04: Status: {"state":"FINISHED","jobStatus":"OK","started":1503301507126,"finished":1503301507532,"duration":406,"name":"AccessZoneValidation rnsm04-c03_rnsm04-c04","info":"Access Zone Validation","children":[],"modified":1503301507532} 0 0 7558132 2

8/21/2017 3:45:08 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:07,480 [pool-80-thread-1] DEBUG MAIN AccessZoneValidation:doAccessZoneValidation [213] - { 0 0 7557218 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.call(AccessZoneValidation.java:53) 0 0 7557171 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.call(AccessZoneValidation.java:70) 0 0 7557171 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.doAccessZoneValidation(AccessZoneValidation.java:315) 0 0 7557170 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.collectConfigReplication(AccessZoneValidation.java:1127) 0 0 7557170 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation$$Lambda$428/501745496.apply(Unknown Source) 0 0 7557167 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.lambda$collectConfigReplication$743(AccessZoneValidation.java:1127) 0 0 7557167 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:07,226 [pool-28-thread-2] DEBUG MAIN AccessZoneValidation:doAccessZoneValidation [213] - { 0 0 7557154 2




SNMP Messages for ALARM

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,035 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: 'rnsm04-03', Severity: 'MAJOR', Description: 'ECA Service unreachable to scan for events' 0 0 7628414 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,034 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB 0 0 7628413 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,028 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.109', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state' 0 0 7628412 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,028 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB 0 0 7628411 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,025 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.108', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state' 0 0 7628411 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,025 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB 0 0 7628411 2

8/21/2017 3:56:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,019 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.107', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state' 0 0 7628408 2


SNMP Message for Overall DR Status

8/21/2017 3:47:12 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:47:12-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:47:12,283 [pool-4-thread-33] DEBUG MAIN Policies:getAllPolicies [56] - [{"policy_name":"InsightIQ-NFSDS","policy_enabled":true,"policy_last_success":1497605568000,"policy_last_run":1497605568000,"policy_last_status":"finished","policy_status":"SUCCESS","overall_dr_status":"WARNING","job_status":"SUCCESS","job_name":"rnsm04-c03_InsightIQ-NFSDS","job_last_run":1503301518896,"job_last_success":1503301518896,"job_source":"rnsm04-c03","job_destination":"rnsm04-c04","job_enabled":true,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301524918},{"policy_name":"z01-smb01-synciq","policy_enabled":true,"policy_last_success":1498033910000,"policy_last_run":1498033910000,"policy_last_status":"finished","policy_status":"SUCCESS","overall_dr_status":"WARNING","job_status":"SUCCESS","job_name":"rnsm04-c03_z01-smb01-synciq","job_last_run":1503301518900,"job_last_success":1503301518900,"job_source":"rnsm04-c03","job_destination":"rnsm04-c04","job_enabled":true,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301524923},{"policy_name":"z01-smb01-synciq_mirror","policy_enabled":false,"policy_last_success":1498033810000,"policy_last_run":1498033905000,"policy_last_status":"finished","policy_status":"DISABLED","overall_dr_status":"FAILED_OVER","job_status":"DISABLED","job_name":"rnsm04-c04_z01-smb01-synciq_mirror","job_last_run":1498033840357,"job_last_success":1498033840357,"job_source":"rnsm04-c04","job_destination":"rnsm04-c03","job_enabled":false,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301528213}] 0 0 7569630 2

SNMP Message for Failover

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,241 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305934 2

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,238 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - ************************************************************************************************************** 0 0 8305934 2

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,238 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305907 2

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,236 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - ************************************************************************************************************** 0 0 8305907 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,236 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305880 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,234 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - ************************************************************************************************************** 0 0 8305879 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 localhost EYEGLASS [INFO] SYSLOG:154 - Eyeglass, , Event: 2017-08-21 05:49:54.253, AID:rnsm04-c03_Policy Failover 2017-08-21_05-47-05, Port:Nil, Type:null, EntityType:, Extra Data:{"Status":"Success","Finished":1503308994249,"Started":1503308826347,"URL":"https://172.22.4.89/failover_logs/Policy_Failover__rnsm04-c03__2017-08-21_05-47-05__SUCCESS/Policy_Failover__rnsm04-c03__2017-08-21_05-47-05__SUCCESS.json"}, Description:Failover Succeeded , NSA, Severity:INFORMATIONAL, Impact:false, Category:SCA0040 0 0 8305846 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,234 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305837 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,229 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:appendReportsToLog [66] - ************************************************************************************************************** 0 0 8305837 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,228 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:appendReportsToLog [65] - SyncIQ Reports For Policy: z01-smb01-synciq 0 0 8305836 2

8/21/2017 5:49:38 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:38-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:38,740 [pool-298-thread-1] DEBUG MAIN QuotaJobFactory:runPrepJob [77] - Is controlled failover? true 0 0 8304276 2

8/21/2017 5:49:38 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:38-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:38,470 [pool-281-thread-1] DEBUG MAIN QuotaJobFactory:runPrepJob [77] - Is controlled failover? true 0 0 8304249 2

8/21/2017 5:47:28 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:28-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:28,151 [pool-273-thread-1] DEBUG MAIN RunConfigurationReplication:handleReplication [48] - Starting replication during failover. 0 0 8291218 2

8/21/2017 5:47:06 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:06-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:06,520 [pool-273-thread-1] DEBUG MAIN FailoverStep:call [132] - DONE Wait for other failover jobs to complete 0 0 8289054 2

8/21/2017 5:47:06 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:06-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:06,516 [pool-273-thread-1] DEBUG MAIN FailoverStep:call [118] - Starting Wait for other failover jobs to complete 0 0 8289053 2

8/21/2017 5:47:05 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:05-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:05,574 [pool-4-thread-120] INFO MAIN PolicyFailoverJobFactory:createJob [83] - in policy failover 0 0 8288959 2


SNMP Message for Ransomware Events

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,923 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584996 2

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,923 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584995 2

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,901 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584993 2

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,901 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584993 2

8/21/2017 6:36:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:21,151 [Thread-31] INFO SYSLOG AlarmHandlerTask:run [154] - Eyeglass, , Event: 2017-08-21 06:36:21.149, AID:RNSM04\rnsm04-t32, Port:Nil, Type:null, EntityType:, Extra Data:{"severity":"WARNING","user name":"RNSM04\\rnsm04-t32","files":["\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest3.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\ctest4.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest1.txt"],"explanation":"New ransomware event created","sid":"S-1-5-21-4205747320-2446522354-1604720750-11190"}, Description:Ransomware signal received. , NSA, Severity:CRITICAL, Impact:false, Category:SCA0061 0 0 8584517 2

8/21/2017 6:36:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:21-04:00 localhost EYEGLASS [INFO] SYSLOG:154 - Eyeglass, , Event: 2017-08-21 06:36:21.149, AID:RNSM04\rnsm04-t32, Port:Nil, Type:null, EntityType:, Extra Data:{"severity":"WARNING","user name":"RNSM04\\rnsm04-t32","files":["\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest3.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\ctest4.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest1.txt"],"explanation":"New ransomware event created","sid":"S-1-5-21-4205747320-2446522354-1604720750-11190"}, Description:Ransomware signal received. , NSA, Severity:CRITICAL, Impact:false, Category:SCA0061 0 0 8584517 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,301 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584437 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,300 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584437 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,282 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584434 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,280 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584434 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,265 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584429 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,264 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584429 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,183 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584421 2