Eyeglass Alarm Forwarding Guide SNMP and Syslog

Eyeglass Alarm forwarding Guide  SNMP Trap Forwarding , Syslog






Overview:


This add on solution allows the syslog messages on the Eyeglass appliance to be forwarded over SNMP.  The eyeglass syslog contains Isilon cluster alarms/events, and DR status alarms from Eyeglass.


The normal syslog forwarding feature available in the Eyeglass UI allows configuration of forwarding of syslog messages.   This procedures allows additional SNMP forwarding over the supplied MIB to a management platform.


Supported Alarms

  1. Eyeglass alarms

  2. Isilon alarms are collected


Installation and Configuration  Syslog and SNMP Forwarding

Requirements:

  1. Release 2.0 - does not require any files to be installed.

  2. Eyeglass with OpenSuse 42.3 operating system.  Eyeglass versions 1.9.3 or later.

  3. Superna Eyeglass MIB File. The mib file is part of the zip file download.   Place the SUPERNA-EYEGLASS-MIB file onto your SNMP trap management station.


Installation of SNMP driver package (OVF appliance < than 2.0)


  1. Download the zip file here.  Copy required files (three files) for SNMP driver package installation to the Eyeglass appliance by using scp (example winscp).

    1. install.sh

    2. superna-supernapy-95460366226a.tar.bz2

    3. superna-pygls-21af86a5fd49.tar.bz2


  1. Login to Eyeglass appliance with user admin


  1. Execute the following  commands:

$ chmod +x install.sh

$ sudo /<enter full path here >/install.sh /<enter full path here >/superna-supernapy-95460366226a.tar.bz2 /<enter full path here >/superna-pygls-21af86a5fd49.tar.bz2  (enter admin password)


  1. Once SNMP driver package installation process has completed, then run the following  commands for configuring the system:


$ exec bash -l  (to reload your Bash session to pick up new environment settings)

$ sudo -E pygls-snmptrap --setup (to add the required entries to the syslog-ng configuration, and to configure the SNMP settings, you can re- run this command to change settings or edit this file /opt/superna/sca/conf/snmptraps.ini)

We need to specify the following



Server Address

IP Address of the SNMP Receiver

Port

Port number (Default 162)

SNMP Engine ID

SNMP Engine ID for SNMPv3

SNMP Version

Default 2c

Community String

Default public



Example:

Server Address: 172.22.22.29

Port: 162

SNMP Engine ID:

SNMP Version: 2c

Community String: public


$ pygls-snmptrap --test (to test sending snmp message to snmp receiver - verify this test message is received on SNMP server)


SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = Superna Eyeglass Syslog-NG SNMP Notification Test Message



  1. NOTE: by default the log filter will send all messages as traps.  This will be a lot of traps messages.

  2. It is recommended to replace the default with a specific filter of alarm severity.  See next section below.


Log View  provides access to Local as well as Remote Logging Services

Configuring syslog forwarding in Eyeglass GUI can be set.For advanced filtering see sections in this guide  



Eyeglass How to setup Local and Remote Logging-Published 0.png

Figure 1  Logging Architecture


To access Log View, Single Click on Log View Icon (Figure 2) from the Desktop or Go to Eyeglass Appliance webui on the bottom left of the page and select logging options from there.

Screen Shot 2016-06-10 at 4.34.45 PM.png

Figure 2



The Logging Window (Figure 3) should then appear on the page. We will see two main Options:

              1. Local Logs

              2. Remote Logging Services


Screen Shot 2016-06-10 at 4.33.44 PM.png

Figure 3


Local Logs

Local Logs provides access to Eyeglass Main Log File and VCE Vision Intelligent Operations Syslogs (only if Vblock discovery license is installed and a Vblock is added as a managed device).

To access Local Logs, Single click on Local Logs on Logging Window (FIgure 4).

On the Label next to Select Log Field, Click on the drop down list which will display the available log – Eyeglass Main log and Eyeglass  Syslog. . Select the Log type you want to view.

Screen Shot 2016-06-10 at 4.33.44 PM.png

Figure 4


We can choose to Fetch or Watch the selected log.

Fetch: Fetch offers us the whole Log file with required System details helping us to review in its entirety.

Watch:  Watch offers us the capability of live watching the logs in real time of selected Log and updates dynamically if new log messages are received.

Screen Shot 2016-06-10 at 4.33.44 PM.png

Figure 5 : Fetch main Syslog


Remote Syslog Forwarding Configuration

Remote Logging Services creates a connection between the Eyeglass appliance and third Party Log Management Applications and makes the log data visible via the third party product. These Third Party Log Management Applications provides powerful search features and advanced log analytics with detailed log Summary, Report generation etc.


Screen Shot 2016-06-10 at 4.32.54 PM.png

Figure 6


  1. To access Remote Logging Services, Single click on Remote Logging Services (Figure 6) on Log View Interface.

  2. Click on Add Remote Log Consumer to add a Remote Log Management Application.

  3. Fill in the required Connection Parameters and Select the Log Consumer Type (FIgure 7) you wish to access. The default port is 514. You can replace it with the port number as required.

  4. Use Delete Selected Remote Log Consumer to remove a target log service

AddRemoteLogConsumer.PNG

Figure 7

  1. When done, Single click on Submit. The Remote Log Consumer you just added will be displayed on Remote Logging Services Interface.

  2. Click on the IP address of the Log Consumer Type you wish to access. You will then be directed to the web UI based on what you selected.


How to configure filtering of syslog messages by Alarm Type


This explains how to select log message text to forward to SNMP. This can be used to send only INFO, Warning or Critical events.  This can also be used to send specific events example Ransomware events or DR events.


  1. Ssh to the appliance as admin user

  2. Sudo -s

  3. Enter admin password

  4. nano /etc/syslog-ng/conf.d/superna-snmp.conf

  5. Edit this section below and change the text as follows:


Default Filter  

filter f_superna_snmp {

   netmask("127.0.0.1/32");

};


Replace default filter section with an example below

filter f_superna_snmp {

   message("Severity:CRITICAL");

};


OR


filter f_superna_snmp {

   message("Severity:MAJOR");

};


OR


filter f_superna_snmp {

   message("Severity:WARNING");

};


OR


filter f_superna_snmp {

   message("Severity:MINOR");

};



OR


filter f_superna_snmp {

   message("Severity:INFO");

};

  1. Save and Exit the file with CTRL+X

  2. Answer Yes

  3. Now restart logging service

  4. systemctl restart syslog-ng

  5. To verify the file was edited correctly and make sure syslog-ng is running

  6. systemctl status -l syslog-ng

  7. done.



To combine multiple Alarm severities or combine message strings see example below.


filter f_superna_snmp {

   message("Severity:CRITICAL") or message("Severity:MAJOR") ;

};


How to configure filtering of syslog and syslog forwarding

The current release has a UI function that will be updated in release 2.0.


These instructions are for release 1.9.3 or later


  1. Ssh to the appliance as admin user

  2. Sudo -s

  3. Enter admin password

  4. nano /etc/syslog-ng/conf.d/superna-snmp.conf

  5. Edit this section below and change the text as follows.     

    1. Enter destination of your syslog server yellow highlight

    2. SNMP messages will be sent to the server configured with:

      1. sudo -E pygls-snmptrap setup

      2. Or nano  /opt/superna/sca/conf/snmptraps.ini  (make changes here)

    3. This filter will send Critical and Warning alarms to Syslog and SNMP trap destination.


filter f_superna {

   message("Severity:CRITICAL") or message("Severity:WARNING") ;

};


destination logserver { udp("x.x.x.x" port(514)); };


destination superna_snmp {

   program(

       "/usr/local/bin/pygls-snmptrap"

       flush_lines(1)

       flags(no_multi_line)

       template("$ISODATE $HOST EYEGLASS $MSGHDR$MSG\n")

   );

};


log {

   source(src);

   source(chroots);

   filter(f_superna);

   destination(superna_snmp);

};


log {

   source(src);

   source(chroots);

   filter(f_superna);

   destination(logserver);

};


  1. After making changes syslog must be restarted to have changes take effect

    1. systemctl restart syslog-ng

Example of SNMP Messages received from Eyeglass


SNMP Messages for Replication Jobs status

8/21/2017 3:55:26 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:26-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:26,634 [pool-97-thread-2] DEBUG MAIN ReplicationTask:lambda$run$982 [246] - ReplicationTask is done. 0 0 7619067 2

8/21/2017 3:55:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:21,753 [pool-96-thread-1] DEBUG MAIN ReplicationTask:lambda$run$980 [217] - Fetching post-configuration inventory. 0 0 7618578 2

8/21/2017 3:55:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:21,753 [pool-96-thread-1] DEBUG MAIN ReplicationTask:lambda$run$980 [214] - Unblocking deletes from the database 0 0 7618578 2

8/21/2017 3:55:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:20,985 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$979 [179] - Writing replication xml file. 0 0 7618502 2

8/21/2017 3:55:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:20,968 [pool-97-thread-2] DEBUG MAIN ReplicationTask:lambda$run$977 [124] - Writing fingerprints 0 0 7618499 2

8/21/2017 3:54:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,021 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$976 [109] - Fetching current inventory before running replication 0 0 7616408 2

8/21/2017 3:54:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,017 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$976 [104] - Clearing deleted items cache 0 0 7616408 2

8/21/2017 3:54:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,003 [cron4j-task-10] INFO MAIN ReplicationTask:run [90] - Starting ReplicationTask 0 0 7616404 2




SNMP Messages for Policy Readiness

8/21/2017 3:41:09 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:41:09-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:41:09,012 [pool-68-thread-1] DEBUG MAIN PolicyReadinessValidation:doPolicyValidation [194] - Policy readiness validation completed successfully 0 0 7533303 2

8/21/2017 3:41:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:41:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.policyreadiness.PolicyReadinessValidation.doPolicyValidation(PolicyReadinessValidation.java:138) 0 0 7532456 2





SNMP Messages for Zone Readiness

8/21/2017 3:45:17 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:17-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:17,296 [pool-75-thread-1] DEBUG MAIN ReadinessJobResultHandler:handleResult [64] - JOB rnsm04-c03_rnsm04-c04: Status: {"state":"FINISHED","jobStatus":"OK","started":1503301507126,"finished":1503301507532,"duration":406,"name":"AccessZoneValidation rnsm04-c03_rnsm04-c04","info":"Access Zone Validation","children":[],"modified":1503301507532} 0 0 7558132 2

8/21/2017 3:45:08 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:07,480 [pool-80-thread-1] DEBUG MAIN AccessZoneValidation:doAccessZoneValidation [213] - { 0 0 7557218 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.call(AccessZoneValidation.java:53) 0 0 7557171 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.call(AccessZoneValidation.java:70) 0 0 7557171 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.doAccessZoneValidation(AccessZoneValidation.java:315) 0 0 7557170 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.collectConfigReplication(AccessZoneValidation.java:1127) 0 0 7557170 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation$$Lambda$428/501745496.apply(Unknown Source) 0 0 7557167 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.lambda$collectConfigReplication$743(AccessZoneValidation.java:1127) 0 0 7557167 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:07,226 [pool-28-thread-2] DEBUG MAIN AccessZoneValidation:doAccessZoneValidation [213] - { 0 0 7557154 2




SNMP Messages for ALARM

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,035 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: 'rnsm04-03', Severity: 'MAJOR', Description: 'ECA Service unreachable to scan for events' 0 0 7628414 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,034 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB 0 0 7628413 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,028 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.109', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state' 0 0 7628412 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,028 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB 0 0 7628411 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,025 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.108', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state' 0 0 7628411 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,025 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB 0 0 7628411 2

8/21/2017 3:56:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,019 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.107', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state' 0 0 7628408 2


SNMP Message for Overall DR Status

8/21/2017 3:47:12 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:47:12-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:47:12,283 [pool-4-thread-33] DEBUG MAIN Policies:getAllPolicies [56] - [{"policy_name":"InsightIQ-NFSDS","policy_enabled":true,"policy_last_success":1497605568000,"policy_last_run":1497605568000,"policy_last_status":"finished","policy_status":"SUCCESS","overall_dr_status":"WARNING","job_status":"SUCCESS","job_name":"rnsm04-c03_InsightIQ-NFSDS","job_last_run":1503301518896,"job_last_success":1503301518896,"job_source":"rnsm04-c03","job_destination":"rnsm04-c04","job_enabled":true,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301524918},{"policy_name":"z01-smb01-synciq","policy_enabled":true,"policy_last_success":1498033910000,"policy_last_run":1498033910000,"policy_last_status":"finished","policy_status":"SUCCESS","overall_dr_status":"WARNING","job_status":"SUCCESS","job_name":"rnsm04-c03_z01-smb01-synciq","job_last_run":1503301518900,"job_last_success":1503301518900,"job_source":"rnsm04-c03","job_destination":"rnsm04-c04","job_enabled":true,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301524923},{"policy_name":"z01-smb01-synciq_mirror","policy_enabled":false,"policy_last_success":1498033810000,"policy_last_run":1498033905000,"policy_last_status":"finished","policy_status":"DISABLED","overall_dr_status":"FAILED_OVER","job_status":"DISABLED","job_name":"rnsm04-c04_z01-smb01-synciq_mirror","job_last_run":1498033840357,"job_last_success":1498033840357,"job_source":"rnsm04-c04","job_destination":"rnsm04-c03","job_enabled":false,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301528213}] 0 0 7569630 2

SNMP Message for Failover

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,241 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305934 2

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,238 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - ************************************************************************************************************** 0 0 8305934 2

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,238 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305907 2

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,236 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - ************************************************************************************************************** 0 0 8305907 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,236 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305880 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,234 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - ************************************************************************************************************** 0 0 8305879 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 localhost EYEGLASS [INFO] SYSLOG:154 - Eyeglass, , Event: 2017-08-21 05:49:54.253, AID:rnsm04-c03_Policy Failover 2017-08-21_05-47-05, Port:Nil, Type:null, EntityType:, Extra Data:{"Status":"Success","Finished":1503308994249,"Started":1503308826347,"URL":"https://172.22.4.89/failover_logs/Policy_Failover__rnsm04-c03__2017-08-21_05-47-05__SUCCESS/Policy_Failover__rnsm04-c03__2017-08-21_05-47-05__SUCCESS.json"}, Description:Failover Succeeded , NSA, Severity:INFORMATIONAL, Impact:false, Category:SCA0040 0 0 8305846 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,234 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305837 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,229 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:appendReportsToLog [66] - ************************************************************************************************************** 0 0 8305837 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,228 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:appendReportsToLog [65] - SyncIQ Reports For Policy: z01-smb01-synciq 0 0 8305836 2

8/21/2017 5:49:38 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:38-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:38,740 [pool-298-thread-1] DEBUG MAIN QuotaJobFactory:runPrepJob [77] - Is controlled failover? true 0 0 8304276 2

8/21/2017 5:49:38 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:38-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:38,470 [pool-281-thread-1] DEBUG MAIN QuotaJobFactory:runPrepJob [77] - Is controlled failover? true 0 0 8304249 2

8/21/2017 5:47:28 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:28-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:28,151 [pool-273-thread-1] DEBUG MAIN RunConfigurationReplication:handleReplication [48] - Starting replication during failover. 0 0 8291218 2

8/21/2017 5:47:06 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:06-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:06,520 [pool-273-thread-1] DEBUG MAIN FailoverStep:call [132] - DONE Wait for other failover jobs to complete 0 0 8289054 2

8/21/2017 5:47:06 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:06-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:06,516 [pool-273-thread-1] DEBUG MAIN FailoverStep:call [118] - Starting Wait for other failover jobs to complete 0 0 8289053 2

8/21/2017 5:47:05 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:05-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:05,574 [pool-4-thread-120] INFO MAIN PolicyFailoverJobFactory:createJob [83] - in policy failover 0 0 8288959 2


SNMP Message for Ransomware Events

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,923 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584996 2

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,923 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584995 2

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,901 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584993 2

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,901 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584993 2

8/21/2017 6:36:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:21,151 [Thread-31] INFO SYSLOG AlarmHandlerTask:run [154] - Eyeglass, , Event: 2017-08-21 06:36:21.149, AID:RNSM04\rnsm04-t32, Port:Nil, Type:null, EntityType:, Extra Data:{"severity":"WARNING","user name":"RNSM04\\rnsm04-t32","files":["\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest3.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\ctest4.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest1.txt"],"explanation":"New ransomware event created","sid":"S-1-5-21-4205747320-2446522354-1604720750-11190"}, Description:Ransomware signal received. , NSA, Severity:CRITICAL, Impact:false, Category:SCA0061 0 0 8584517 2

8/21/2017 6:36:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:21-04:00 localhost EYEGLASS [INFO] SYSLOG:154 - Eyeglass, , Event: 2017-08-21 06:36:21.149, AID:RNSM04\rnsm04-t32, Port:Nil, Type:null, EntityType:, Extra Data:{"severity":"WARNING","user name":"RNSM04\\rnsm04-t32","files":["\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest3.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\ctest4.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest1.txt"],"explanation":"New ransomware event created","sid":"S-1-5-21-4205747320-2446522354-1604720750-11190"}, Description:Ransomware signal received. , NSA, Severity:CRITICAL, Impact:false, Category:SCA0061 0 0 8584517 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,301 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584437 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,300 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584437 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,282 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584434 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,280 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584434 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,265 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584429 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,264 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584429 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,183 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584421 2