<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7655.1">
<TITLE>Re: [rancid] Email notification with RANCID</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>The syslog events are indexed in Splunk with a specific sourcetype, in our<BR>
case 'Rancid'. We run RANCID via cron once a day. Therefore, our Splunk<BR>
reports are on a daily schedule. Here is a list of the reports that we run.<BR>
<BR>
Consistent errors, where the same device has an error for the last two<BR>
weeks. Run daily, for the last 2 weeks. Query: sourcetype="Rancid"<BR>
"rancid-run" error | stats count by device | where count > 13<BR>
<BR>
Excessive errors, where we have a large number of errors in a single run.<BR>
Run daily, for the last 24 hours. Query: sourcetype="Rancid" rancid Errors ><BR>
7<BR>
<BR>
Did not finish, where we do not see the end of the run for our three RANCID<BR>
groups. Run daily, for the last 24 hours. Query: sourcetype="Rancid"<BR>
rancid-run ending: | stats count by date_mday | where count != 3<BR>
<BR>
The reports are only emailed to our network team if the event count is<BR>
greater than zero. In other words, we only get notified if there is a<BR>
problem.<BR>
<BR>
If you want to discuss this further, lets take it off-list.<BR>
<BR>
Skye.<BR>
<BR>
<BR>
<BR>
On 1/20/12 12:52 AM, "Krzysztof Zygmunt" <krzysztof.zygmunt@gmail.com><BR>
wrote:<BR>
<BR>
> Hi,<BR>
><BR>
> It looks very interesting, can you tell me what do you do with those<BR>
> syslog messages<BR>
> on splunk side ? How do you generate any reports from such information ?<BR>
><BR>
> cheers<BR>
> kris<BR>
><BR>
> 2012/1/18 Hagen, Skye <skyeh@uidaho.edu>:<BR>
>> We took a completely different tact on notification. We backup over 1600<BR>
>> devices nightly, and only want notification if there is a problem, and in<BR>
>> some cases, only when there is a major problem.<BR>
>><BR>
>> We use syslog with Splunk for a majority of our reporting. What I did was to<BR>
>> wrap 'rancid-run' in a shell script that will take the logs, massage them,<BR>
>> and send the results to syslog.<BR>
>><BR>
>> We have created a number of Splunk reports, such as a report that tells us<BR>
>> if there are excessive errors, or if a backup has had successive failures.<BR>
>><BR>
>> If anyone is interested, I have attached the script.<BR>
>><BR>
>> Skye.<BR>
>><BR>
>><BR>
>><BR>
>><BR>
>><BR>
>> On 1/16/12 5:58 PM, "Michael Lee" <michael.lee@mincom.com> wrote:<BR>
>><BR>
>>> Hi,<BR>
>>><BR>
>>> Really appreciate your reply. Yeah, however I am trying to list out all<BR>
>>> the<BR>
>>> devices and backup status in a list. By the way, do you know anyway to<BR>
>>> send<BR>
>>> the configuration diff using html format in an EMAIL similar to what we<BR>
>>> see on<BR>
>>> VIEWVC?<BR>
>>><BR>
>>><BR>
>>> BR,<BR>
>>> Michael<BR>
>>> -----Original Message-----<BR>
>>> From: shouldbe q931 [<A HREF="mailto:shouldbeq931@gmail.com">mailto:shouldbeq931@gmail.com</A>]<BR>
>>> Sent: Tuesday, January 17, 2012 2:55 AM<BR>
>>> To: Michael Lee<BR>
>>> Cc: rancid-discuss@shrubbery.net<BR>
>>> Subject: Re: [rancid] Email notification with RANCID<BR>
>>><BR>
>>> On Mon, Jan 16, 2012 at 5:33 AM, Michael Lee <michael.lee@mincom.com><BR>
>>> wrote:<BR>
>>>> Hi all,<BR>
>>>><BR>
>>>><BR>
>>>><BR>
>>>> I am new to RANCID, hopefully you guys can help. I have been trying to<BR>
>>>> find<BR>
>>>> some way to make RANCID notify daily through mail which devices is backup<BR>
>>>> successful and which backup is not successful.<BR>
>>>><BR>
>>>> Is there currently a way to do this. I notice the capability at the<BR>
>>>> moment<BR>
>>>> only send notification on the changes of the configuration.<BR>
>>>><BR>
>>>><BR>
>>>><BR>
>>>> Many thanks in advance,<BR>
>>>><BR>
>>>><BR>
>>>><BR>
>>>> Br,<BR>
>>>><BR>
>>>> Michael<BR>
>>>><BR>
>>>><BR>
>>><BR>
>>> rancid will send a notification email if it has not been able to<BR>
>>> contact a device for 24hours, the below is from control_rancid<BR>
>>><BR>
>>><BR>
>>> ----------------------------------------------------------------------------<BR>
>>> --<BR>
>>> -----------------<BR>
>>> # If any machines have not been reached within the last $OLDTIME<BR>
>>> # hours, mail out a list of them.<BR>
>>> cd $DIR/configs<BR>
>>> rm -f $DIR/routers.failed<BR>
>>> if [ "X$OLDTIME" = "X" ] ; then<BR>
>>> OLDTIME=24<BR>
>>> fi<BR>
>>><BR>
>>> ----------------------------------------------------------------------------<BR>
>>> --<BR>
>>> -----------------<BR>
>>><BR>
>>><BR>
>>> This transmission is for the intended addressee only and is confidential<BR>
>>> information. If you have received this transmission in error, please<BR>
>>> notify<BR>
>>> the sender and delete the transmission. The contents of this e-mail are<BR>
>>> the<BR>
>>> opinion of the writer only and are not endorsed by the Mincom Group of<BR>
>>> companies unless expressly stated otherwise.<BR>
>>><BR>
>>><BR>
>>> _______________________________________________<BR>
>>> Rancid-discuss mailing list<BR>
>>> Rancid-discuss@shrubbery.net<BR>
>>> <A HREF="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss</A><BR>
>><BR>
>><BR>
>> _______________________________________________<BR>
>> Rancid-discuss mailing list<BR>
>> Rancid-discuss@shrubbery.net<BR>
>> <A HREF="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss</A><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>