Can we exclude the syslog event "SSH-3-BAD_PACK_LEN: Bad packet length" from alarming in Spectrum

search cancel

Can we exclude the syslog event "SSH-3-BAD_PACK_LEN: Bad packet length" from alarming in Spectrum

book

Article ID: 221959

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

We would like to exclude the following event syslog that is creating an alarm and also creating a ticket in Service Desk.

I found that this event is mapped under Major syslog event (0x21001b) but I don´t want to exclude all major syslog but only to exclude the below type of syslog:-

%SSH-3-BAD_PACK_LEN: Bad packet length

Environment

Release : ANY

Component : Spectrum Events and Alarms

Cause

Event Customization

Resolution

Created an Event Condition rule to stop a syslog trap from alarming.

0x21001b E 50 R CA.EventCondition, "(regexp({v 1}, {S \""SSH-3-BAD_PACK_LEN"\"}))" , "0xfff0048 -:-","default" , "0xfff0049 -:-"
0xfff0048 E 0
0xfff0049 E 50 A 2,0x21001b

The idea behind this is to filter on syslog event 0x21001b using regex on S1 in the trap that will parse the value "SSH-3-BAD_PACK_LEN" and if this value exists to create event 0xfff0049 which does not create an alarm.

If any other event is sent, then it passes and creates the older syslog alarm using event 0xfff0049 using the cause code of 0x21001b.

Feedback

thumb_up Yes

thumb_down No