SIEM & UEBA

Expand all | Collapse all

Total Interface Down time

  • 1.  Total Interface Down time

    Posted Jun 07, 2021 02:18 PM
    You can pull events showing when an interface goes down and when it come backup, However there does not appear to be a way to total the time between the two events.  Is there a way to do this.   One way I have though about, is to setup a rule that create an event that will store the difference between the Down and Up events., rather than an incident, but I haven't found a way to do that


  • 2.  RE: Total Interface Down time

    Posted 17 days ago
    Hi Kevin,

    You are correct, technically this operation could be completed in the parser by way of the collectAndSetAttrFromAnotherEvent function.

    Example from IronportMailParser
    <collectAndSetAttrFromAnotherEvent AnotherEventType="Cisco-IronPort-Mail-From">
       <when test="$ironportMailMID = $AnotherEvent.ironportMailMID">
          <setEventAttribute attr="receiverMailAddr">$AnotherEvent.receiverMailAddr</setEventAttribute>
       </when>
    </collectAndSetAttrFromAnotherEvent>​


    In your case, you would want to retrieve the last time the interface went up or down and calculate the time between the two events.  So you would want to use a function like calculateMSec once you assign the event receive time from the other event to a temp variable.

    Example

    <when test='$eventType IN "PH_DEV_MON_INTF_OPER_DOWN_TO_UP,PH_DEV_MON_INTF_OPER_DOWN_TO_UP"'>
       <collectAndSetAttrFromAnotherEvent AnotherEventType="PH_DEV_MON_INTF_OPER_DOWN_TO_UP OR PH_DEV_MON_INTF_OPER_DOWN_TO_UP">
          <when test="$intfName = $AnotherEvent.intfName">
             <setEventAttribute attr="_lastChanged">$AnotherEvent.phRecvTime</setEventAttribute>
             <setEventAttribute attr="durationMSec">calculateMSec($_lastChanged)</setEventAttribute>
          </when>
       </collectAndSetAttrFromAnotherEvent>
    </when>
    

    This example code is untested.  It is only provided as an example.  Please use at your own risk.

    Word of advice

    Be careful using this technique.  It will force the parser to keep an index of all matching event types in memory.  That said, the collectAndSetAttrFromAnotherEvent function is widely used in the default Windows parsers.  I would just monitor the memory utilization of phParser on any collectors (or your Supervisor) that are parsing events.

    ------------------------------
    Ken
    ------------------------------