I’m encountering a strange bug with a bgp session down rule.
Normally, the rule looks like:
bgpPeers.bgpPeerState != “established” AND macros.device_up = 1 AND bgpPeers.bgpPeerAdminStatus != “stop” AND bgpPeers.bgpPeerState != ‘’
This produces an alert similar to the following(as expected):
#1: Peer Desc: PEER-NAME
Peer AS: 65000 IP: 2001:0db8:2000:0000:0000:0000:0000:0029
Peer State: active EstTime: 0
[AS and IP anonymized]
When I add ‘AND bgpPeers_cbgp.afi = “ipv4”’ to this rule with the intent of only alerting on IPv4-based sessions, the down v6 session still alerts, and generates 60+ apparently duplicate faults in the alert.
What would be the best way to troubleshoot this further? Any ideas on what may be causing it?
I think I’ve figured out my issue:
When mixing together rule conditions in bgpPeers and bgpPeers_cbgp, the only thing tying these two tables together in the query is the device ID. So that means every row in the bgpPeers_cbgp that has the right device_id will cause a new match to the offending rule against bgpPeers.
I figured this out by testing different queries direct to the database. My rule was composing something similar to the following query:
SELECT * FROM devices,bgpPeers,bgpPeers_cbgp
WHERE (devices.device_id = 29 AND devices.device_id = bgpPeers.device_id AND devices.device_id = bgpPeers_cbgp.device_id)
AND bgpPeers.bgpPeerState != “established”
AND (devices.status = 1 && (devices.disabled = 0 && devices.ignore = 0)) = 1
AND bgpPeers.bgpPeerAdminStatus != “stop”
AND bgpPeers.bgpPeerState != ‘’
AND bgpPeers_cbgp.afi = “ipv4”
This was causing a new rule match for every row in bgpPeers_cbgp that matched device_id for the one row in bgpPeers that matched the other conditions. Hence the multiple alert faults for one alertable condition.
I fixed this in the query by adding a clause:
AND bgpPeers.bgpPeerIdentifier = bgpPeers_cbgp.bgpPeerIdentifier
To make sure the rule only evaluated where the two tables referenced the same BGP peer. This caused the query to return the expected single row (and only when bgpPeers_cbgp.afi = “ipv4” truly matched)
So now, my question is whether it is possible to specify another table.column as a match condition in the rule builder rather than just using a custom SQL query? I tried just referencing the table, and the result was:
AND bgpPeers.bgpPeerIdentifier = “bgpPeers_cbgp.bgpPeerIdentifier”
Not exactly what I was looking for.
One more follow-up:
I created a macro to test that the bgpPeerIdentifier is equal between bgpPeers and bgpPeers_cbgp:
$config[‘alert’][‘macros’][‘rule’][‘bgp_match_cbgp’] = ‘bgpPeers.bgpPeerIdentifier = bgpPeers_cbgp.bgpPeerIdentifier’ ;
This can be tested as yes to filter to the right bgp peer in both tables.