Eyeglass Alarm Forwarding Guide SNMP and Syslog

Eyeglass Alarm Forwarding Guide

SNMP Trap Forwarding and Syslog  Addon  



Overview:


This add on solution allows the syslog messages on the Eyeglass appliance to be forwarded over SNMP.  The eyeglass syslog contains Isilon cluster alarms/events, and DR status alarms from Eyeglass.


The normal syslog forwarding feature available in the Eyeglass UI allows configuration of forwarding of syslog messages.   This procedures allows additional SNMP forwarding over the supplied MIB to a management platform.


Supported Alarms

  1. Eyeglass alarms

  2. Isilon alarms are collected


Installation and Configuration

Requirements:

  1. Eyeglass with OpenSuse 42.x operating system.  Eyeglass versions 1.9.3 or later.

  2. Superna Eyeglass MIB File. The mib file is part of the zip file download.   Place the SUPERNA-EYEGLASS-MIB file onto your SNMP trap management station.


Installation of SNMP driver package


  1. Download the zip file here.  Copy required files (three files) for SNMP driver package installation to the Eyeglass appliance by using scp (example winscp).

    1. install.sh

    2. superna-supernapy-95460366226a.tar.bz2

    3. superna-pygls-21af86a5fd49.tar.bz2


  1. Login to Eyeglass appliance with user admin


  1. Execute the following  commands:

$ chmod +x install.sh

$ sudo ./install.sh ./superna-supernapy-95460366226a.tar.bz2 ./superna-pygls-21af86a5fd49.tar.bz2  (enter admin password)


  1. Once SNMP driver package installation process has completed, then run the following  commands for configuring the system:


$ exec bash -l  (to reload your Bash session to pick up new environment settings)

$ sudo -E pygls-snmptrap --setup (to add the required entries to the syslog-ng configuration, and to configure the SNMP settings, you can re- run this command to change settings or edit this file /opt/superna/sca/conf/snmptraps.ini)

We need to specify the following



Server Address

IP Address of the SNMP Receiver

Port

Port number (Default 162)

SNMP Engine ID

SNMP Engine ID for SNMPv3

SNMP Version

Default 2c

Community String

Default public



Example:

Server Address: 172.22.22.29

Port: 162

SNMP Engine ID:

SNMP Version: 2c

Community String: public


$ pygls-snmptrap --test (to test sending snmp message to snmp receiver - verify this test message is received on SNMP server)


SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = Superna Eyeglass Syslog-NG SNMP Notification Test Message



  1. NOTE: by default the log filter will send all messages as traps.  This will be a lot of traps messages.

  2. It is recommended to replace the default with a specific filter of alarm severity.  See next section below.



How to configure filtering of syslog messages by Alarm Type


This explains how to select log message text to forward to SNMP. This can be used to send only INFO, Warning or Critical events.  This can also be used to send specific events example Ransomware events or DR events.


  1. Ssh to the appliance as admin user

  2. Sudo -s

  3. Enter admin password

  4. nano /etc/syslog-ng/conf.d/superna-snmp.conf

  5. Edit this section below and change the text as follows:


Default Filter  

filter f_superna_snmp {

   netmask("127.0.0.1/32");

};


Replace default filter section with an example below

filter f_superna_snmp {

   message("Severity:CRITICAL");

};


OR


filter f_superna_snmp {

   message("Severity:MAJOR");

};


OR


filter f_superna_snmp {

   message("Severity:WARNING");

};


OR


filter f_superna_snmp {

   message("Severity:MINOR");

};



OR


filter f_superna_snmp {

   message("Severity:INFO");

};

  1. Save and Exit the file with CTRL+X

  2. Answer Yes

  3. Now restart logging service

  4. systemctl restart syslog-ng

  5. To verify the file was edited correctly and make sure syslog-ng is running

  6. systemctl status -l syslog-ng

  7. done.



To combine multiple Alarm severities or combine message strings see example below.


filter f_superna_snmp {

   message("Severity:CRITICAL") or message("Severity:MAJOR") ;

};


How to configure filtering of syslog and syslog forwarding

The current release has a UI function that will be updated in release 2.0.


These instructions are for release 1.9.3 or later


  1. Ssh to the appliance as admin user

  2. Sudo -s

  3. Enter admin password

  4. nano /etc/syslog-ng/conf.d/superna-snmp.conf

  5. Edit this section below and change the text as follows.     

    1. Enter destination of your syslog server yellow highlight

    2. SNMP messages will be sent to the server configured with:

      1. sudo -E pygls-snmptrap setup

      2. Or nano  /opt/superna/sca/conf/snmptraps.ini  (make changes here)

    3. This filter will send Critical and Warning alarms to Syslog and SNMP trap destination.


filter f_superna {

   message("Severity:CRITICAL") or message("Severity:WARNING") ;

};


destination logserver { udp("x.x.x.x" port(514)); };


destination superna_snmp {

   program(

       "/usr/local/bin/pygls-snmptrap"

       flush_lines(1)

       flags(no_multi_line)

       template("$ISODATE $HOST EYEGLASS $MSGHDR$MSG\n")

   );

};


log {

   source(src);

   source(chroots);

   filter(f_superna);

   destination(superna_snmp);

};


log {

   source(src);

   source(chroots);

   filter(f_superna);

   destination(logserver);

};


  1. After making changes syslog must be restarted to have changes take effect

    1. systemctl restart syslog-ng

Example of SNMP Messages received from Eyeglass


SNMP Messages for Replication Jobs status

8/21/2017 3:55:26 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:26-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:26,634 [pool-97-thread-2] DEBUG MAIN ReplicationTask:lambda$run$982 [246] - ReplicationTask is done. 0 0 7619067 2

8/21/2017 3:55:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:21,753 [pool-96-thread-1] DEBUG MAIN ReplicationTask:lambda$run$980 [217] - Fetching post-configuration inventory. 0 0 7618578 2

8/21/2017 3:55:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:21,753 [pool-96-thread-1] DEBUG MAIN ReplicationTask:lambda$run$980 [214] - Unblocking deletes from the database 0 0 7618578 2

8/21/2017 3:55:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:20,985 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$979 [179] - Writing replication xml file. 0 0 7618502 2

8/21/2017 3:55:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:20,968 [pool-97-thread-2] DEBUG MAIN ReplicationTask:lambda$run$977 [124] - Writing fingerprints 0 0 7618499 2

8/21/2017 3:54:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,021 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$976 [109] - Fetching current inventory before running replication 0 0 7616408 2

8/21/2017 3:54:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,017 [pool-97-thread-1] DEBUG MAIN ReplicationTask:lambda$run$976 [104] - Clearing deleted items cache 0 0 7616408 2

8/21/2017 3:54:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:55:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:55:00,003 [cron4j-task-10] INFO MAIN ReplicationTask:run [90] - Starting ReplicationTask 0 0 7616404 2




SNMP Messages for Policy Readiness

8/21/2017 3:41:09 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:41:09-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:41:09,012 [pool-68-thread-1] DEBUG MAIN PolicyReadinessValidation:doPolicyValidation [194] - Policy readiness validation completed successfully 0 0 7533303 2

8/21/2017 3:41:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:41:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.policyreadiness.PolicyReadinessValidation.doPolicyValidation(PolicyReadinessValidation.java:138) 0 0 7532456 2





SNMP Messages for Zone Readiness

8/21/2017 3:45:17 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:17-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:17,296 [pool-75-thread-1] DEBUG MAIN ReadinessJobResultHandler:handleResult [64] - JOB rnsm04-c03_rnsm04-c04: Status: {"state":"FINISHED","jobStatus":"OK","started":1503301507126,"finished":1503301507532,"duration":406,"name":"AccessZoneValidation rnsm04-c03_rnsm04-c04","info":"Access Zone Validation","children":[],"modified":1503301507532} 0 0 7558132 2

8/21/2017 3:45:08 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:07,480 [pool-80-thread-1] DEBUG MAIN AccessZoneValidation:doAccessZoneValidation [213] - { 0 0 7557218 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.call(AccessZoneValidation.java:53) 0 0 7557171 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.call(AccessZoneValidation.java:70) 0 0 7557171 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.doAccessZoneValidation(AccessZoneValidation.java:315) 0 0 7557170 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.collectConfigReplication(AccessZoneValidation.java:1127) 0 0 7557170 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation$$Lambda$428/501745496.apply(Unknown Source) 0 0 7557167 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: at com.superna.nde.jobengine.readiness.zonereadiness.operations.AccessZoneValidation.lambda$collectConfigReplication$743(AccessZoneValidation.java:1127) 0 0 7557167 2

8/21/2017 3:45:07 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:45:07-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:45:07,226 [pool-28-thread-2] DEBUG MAIN AccessZoneValidation:doAccessZoneValidation [213] - { 0 0 7557154 2




SNMP Messages for ALARM

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,035 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: 'rnsm04-03', Severity: 'MAJOR', Description: 'ECA Service unreachable to scan for events' 0 0 7628414 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,034 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB 0 0 7628413 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,028 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.109', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state' 0 0 7628412 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,028 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB 0 0 7628411 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,025 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.108', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state' 0 0 7628411 2

8/21/2017 3:57:00 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,025 [cron4j-task-8] INFO MAIN AlarmDataManager:executeSave [2815] - Sending alarm from '' to DB 0 0 7628411 2

8/21/2017 3:56:59 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:57:00-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:57:00,019 [cron4j-task-8] DEBUG MAIN AlarmDataManager:executeSave [2817] - >> Keys: Sync-Key: '172.22.4.107', Severity: 'MAJOR', Description: 'ECA Node inactive or in error state' 0 0 7628408 2


SNMP Message for Overall DR Status

8/21/2017 3:47:12 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T03:47:12-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 03:47:12,283 [pool-4-thread-33] DEBUG MAIN Policies:getAllPolicies [56] - [{"policy_name":"InsightIQ-NFSDS","policy_enabled":true,"policy_last_success":1497605568000,"policy_last_run":1497605568000,"policy_last_status":"finished","policy_status":"SUCCESS","overall_dr_status":"WARNING","job_status":"SUCCESS","job_name":"rnsm04-c03_InsightIQ-NFSDS","job_last_run":1503301518896,"job_last_success":1503301518896,"job_source":"rnsm04-c03","job_destination":"rnsm04-c04","job_enabled":true,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301524918},{"policy_name":"z01-smb01-synciq","policy_enabled":true,"policy_last_success":1498033910000,"policy_last_run":1498033910000,"policy_last_status":"finished","policy_status":"SUCCESS","overall_dr_status":"WARNING","job_status":"SUCCESS","job_name":"rnsm04-c03_z01-smb01-synciq","job_last_run":1503301518900,"job_last_success":1503301518900,"job_source":"rnsm04-c03","job_destination":"rnsm04-c04","job_enabled":true,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301524923},{"policy_name":"z01-smb01-synciq_mirror","policy_enabled":false,"policy_last_success":1498033810000,"policy_last_run":1498033905000,"policy_last_status":"finished","policy_status":"DISABLED","overall_dr_status":"FAILED_OVER","job_status":"DISABLED","job_name":"rnsm04-c04_z01-smb01-synciq_mirror","job_last_run":1498033840357,"job_last_success":1498033840357,"job_source":"rnsm04-c04","job_destination":"rnsm04-c03","job_enabled":false,"job_has_policy":true,"audit_status":"AUDITSUCCEEDED","policy_readiness_last_success":1503301528213}] 0 0 7569630 2

SNMP Message for Failover

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,241 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305934 2

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,238 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - ************************************************************************************************************** 0 0 8305934 2

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,238 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305907 2

8/21/2017 5:49:55 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,236 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - ************************************************************************************************************** 0 0 8305907 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,236 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305880 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,234 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [70] - ************************************************************************************************************** 0 0 8305879 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 localhost EYEGLASS [INFO] SYSLOG:154 - Eyeglass, , Event: 2017-08-21 05:49:54.253, AID:rnsm04-c03_Policy Failover 2017-08-21_05-47-05, Port:Nil, Type:null, EntityType:, Extra Data:{"Status":"Success","Finished":1503308994249,"Started":1503308826347,"URL":"https://172.22.4.89/failover_logs/Policy_Failover__rnsm04-c03__2017-08-21_05-47-05__SUCCESS/Policy_Failover__rnsm04-c03__2017-08-21_05-47-05__SUCCESS.json"}, Description:Failover Succeeded , NSA, Severity:INFORMATIONAL, Impact:false, Category:SCA0040 0 0 8305846 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,234 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:lambda$appendReportsToLog$617 [69] - { 0 0 8305837 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,229 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:appendReportsToLog [66] - ************************************************************************************************************** 0 0 8305837 2

8/21/2017 5:49:54 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:54-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:54,228 [pool-284-thread-1] INFO com.superna.nde.jobengine.failover.operations.AddReportsToLogs AddReportsToLogs:appendReportsToLog [65] - SyncIQ Reports For Policy: z01-smb01-synciq 0 0 8305836 2

8/21/2017 5:49:38 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:38-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:38,740 [pool-298-thread-1] DEBUG MAIN QuotaJobFactory:runPrepJob [77] - Is controlled failover? true 0 0 8304276 2

8/21/2017 5:49:38 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:49:38-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:49:38,470 [pool-281-thread-1] DEBUG MAIN QuotaJobFactory:runPrepJob [77] - Is controlled failover? true 0 0 8304249 2

8/21/2017 5:47:28 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:28-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:28,151 [pool-273-thread-1] DEBUG MAIN RunConfigurationReplication:handleReplication [48] - Starting replication during failover. 0 0 8291218 2

8/21/2017 5:47:06 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:06-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:06,520 [pool-273-thread-1] DEBUG MAIN FailoverStep:call [132] - DONE Wait for other failover jobs to complete 0 0 8289054 2

8/21/2017 5:47:06 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:06-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:06,516 [pool-273-thread-1] DEBUG MAIN FailoverStep:call [118] - Starting Wait for other failover jobs to complete 0 0 8289053 2

8/21/2017 5:47:05 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T05:47:05-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 05:47:05,574 [pool-4-thread-120] INFO MAIN PolicyFailoverJobFactory:createJob [83] - in policy failover 0 0 8288959 2


SNMP Message for Ransomware Events

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,923 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584996 2

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,923 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584995 2

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,901 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584993 2

8/21/2017 6:36:25 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:25-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:25,901 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584993 2

8/21/2017 6:36:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:21-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:21,151 [Thread-31] INFO SYSLOG AlarmHandlerTask:run [154] - Eyeglass, , Event: 2017-08-21 06:36:21.149, AID:RNSM04\rnsm04-t32, Port:Nil, Type:null, EntityType:, Extra Data:{"severity":"WARNING","user name":"RNSM04\\rnsm04-t32","files":["\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest3.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\ctest4.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest1.txt"],"explanation":"New ransomware event created","sid":"S-1-5-21-4205747320-2446522354-1604720750-11190"}, Description:Ransomware signal received. , NSA, Severity:CRITICAL, Impact:false, Category:SCA0061 0 0 8584517 2

8/21/2017 6:36:21 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:21-04:00 localhost EYEGLASS [INFO] SYSLOG:154 - Eyeglass, , Event: 2017-08-21 06:36:21.149, AID:RNSM04\rnsm04-t32, Port:Nil, Type:null, EntityType:, Extra Data:{"severity":"WARNING","user name":"RNSM04\\rnsm04-t32","files":["\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest3.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\ctest4.txt","\\\\rnsm04-c03\\zone01\\ifs\\data\\zone01\\z01-smb01\\Data01\\dtest1.txt"],"explanation":"New ransomware event created","sid":"S-1-5-21-4205747320-2446522354-1604720750-11190"}, Description:Ransomware signal received. , NSA, Severity:CRITICAL, Impact:false, Category:SCA0061 0 0 8584517 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,301 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584437 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,300 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584437 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,282 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584434 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,280 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584434 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,265 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584429 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,264 [pool-4-thread-146] DEBUG MAIN RequestDispatcher:getPlugin [180] - retrieving plugin: com.superna.scaapi.plugins.ransomware.HandleRdaEvent 0 0 8584429 2

8/21/2017 6:36:20 AM 172.22.4.89 SNMPv2-MIB::snmpTrapOID.0 = SNMPv2-SMI::enterprises.50412.0.1

SNMPv2-SMI::enterprises.50412.1.1 = 2017-08-21T06:36:20-04:00 rnsm04-igls-03 EYEGLASS bash[19595]: 2017-08-21 06:36:20,183 [pool-4-thread-146] DEBUG MAIN HandleRdaEvent:post [24] - Received ECA ransomware notification for sid S-1-5-21-4205747320-2446522354-1604720750-11190 0 0 8584421 2