BPDU Spanning Tree alerts

Alexandre_Chevrier · 17 October 2022 17:23

Hi,
when a loop is created in our Aruba environment, a log is created because we shut down the port, like this :
00898 ports: BPDU protect(5) has disabled port 22 for 300 seconds
or
00840 stp: port 9 disabled for 300 seconds - BPDU received on protected port.

In libreNMS, this correspond to :
ifAdminStatus: up → down
recovery is this eventlog :
ifAdminStatus: down → up

Is there a way to create an altert rule to be informed of loop created on the network ?
Thanks !

rhinoau · 18 October 2022 02:19

If you have syslog messages from the device coming to LibreNMS you can, there are existing rule examples you can modify to look at a time window for particular things and alert on them:

For example:

Begin oversharing:

I use the above to flag login failures to network devices etc. If you don’t then have a notification going somewhere for them though, blink and you’ll miss them on the dashboard as they will go away after the search window (5 minutes above).

I tend to use the LibreNMS dashboard and visible alerts for ‘status’ views of things and don’t send much to notifications to reduce the noise, but when I do need a notification somewhere that is really important to me, I either:

Have a specific transport used for specific rules I really care about, for example I have a ‘security’ transport for specific alert rules to a slack channel to separate from the general noise.
Integrate Graylog to handle events from syslog and from LibreNMS logs themselves and then customise notifications/escalations, or;
Use the External Hook feature to process critical log entries as they come in and do something - such as send to a slack channel - I use this for firewall threat detection events:
See: Syslog - external-hooks

As I construct that house of cards, I then run scripts to fire test alerts once a week to test my notification chains so I can trust any silence … something as simple as this in cron that I trigger notifications from in my alert rules/handling:

58 8 * * * librenms echo XVERYTHING IS OK | tr X E | logger

Alexandre_Chevrier · 18 October 2022 18:24

Hi thanks for the answer. I was using event log so I ended up using syslog instead. Here’s my alert rule :
syslog.timestamp greater or equal ‘macros.past_5m’
AND
syslog.msg regex .BPDU received on protected port.

Original syslog event looks like that :
2022-10-18 14:17:43 warning sa-003-01 STP port 5 disabled for 300 seconds - BPDU received on protected port. [00840] warning

My alert template contains :
@if ($alert->faults)
@foreach ($alert->faults as $key => $value)
{{ $value[‘string’] }} {{ $value[‘msg’] }}
@endforeach
@endif

Which returns a way to long line :
sysObjectID = .1.3.6.1.4.1.11.2.3.7.11.181.21; sysDescr = Aruba JL256A 2930F-48G-PoE±4SFP+ Switch, revision WC.16.10.0021, ROM WC.16.01.0009 (/ws/swbuildm/rel_ajanta_qaoff/code/build/lvm(swbuildm_rel_ajanta_qaoff_rel_ajanta)); location_id = 32; msg = port 19 disabled for 300 seconds - BPDU received on protected port. [00840]; port 19 disabled for 300 seconds - BPDU received on protected port. [00840]

Is there a way to change my template so $value writes only “port 19” ? I will then complete the template with a text that ITs on site will understand.

Thanks !

system · 16 January 2023 18:25

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.