Port Flapping rule

Help
1

Hi community,

I am looking to create a rule to detect port flapping. After digging I found that this can be done using custom sql query alert.

So the SQL query I am trying to get working in alert is the following.

SELECT
e.device_id,
p.ifName,
COUNT(e.message) AS message_count
FROM
eventlog e
JOIN
ports p ON e.reference = p.port_id
WHERE
e.device_id = ?
AND e.type = ‘interface’
AND e.message LIKE ‘ifOperStatus: up%’
AND UNIX_TIMESTAMP(e.datetime) >= UNIX_TIMESTAMP(NOW() - INTERVAL 30 MINUTE)
GROUP BY
e.device_id, p.ifName
HAVING
COUNT(e.device_id) >= 5;

If I execute this database it work fine, but when I place it in the alert rule I am getting an alert in the eventlog

Error in alert rule Port is Flapping (33): SQLSTATE[HY093]: Invalid parameter number (Connection: mysql, SQL: SELECT e.device_id, p.ifName, COUNT(e.message) AS message_count FROM eventlog e JOIN ports p ON e.reference = p.port_id WHERE e.device_id = 17 AND e.type = ‘interface’ AND e.message LIKE ‘ifOperStatus: up%’ AND UNIX_TIMESTAMP(e.datetime) >= UNIX_TIMESTAMP(NOW() - INTERVAL 120 MINUTE) GROUP BY e.device_id, p.ifName HAVING COUNT(e.device_id) >= 2)

image
image1920×375 121 KB

Alert rule configuration…

image
image1774×1784 223 KB

image
image1796×1286 175 KB

Thanx for your help! :slight_smile:

2

I took your rule and it works for me.

However, there is a difference in the eventlog output from your rule, one is checking for a count >= 5 the other >= 2. The rule looks good in both cases though so I’m still perplexed.

The error is saying the wrong number of parameters are being passed, we only pass device_id to other only ? that exists in the query, double check your query.

3

Yeah not sure what was not working, but I end up rewriting the query from scracth and now it work. Might a some bad/weird character from a copy/paste.

Now it look to be working as expected, and final query look like this .

image
image1762×1432 182 KB

The only I am wondering is where the informations come from to fill the field below the hostname/ip in notification section, it show empty for my custom query but not the other one

image
image1766×348 36.5 KB

4

You can try p.* instead of just p.ifName