Wadjet-Alarming supplies a set of interfaces and implementations for sending alarms from a process to different destinations.
It supplies you implementations for the following:
Alarms are split into 2 distinct types:
SNMP traps are sent are built from a default MIB (Message Information Block) using a default plugin class that builds the trap PDU, the architecture allows you to define a different class to build the PDUs using the service location pattern from the Wadjet-Utils package so you can support other MIBs.
The syslog and olog implementations send formatted strings which can be configured in the service configuration file (see java documentation).
The following sections describe how you can use the AlarmingService
The Alarming Service uses Service Location to load the service class you have chosen. This will be configured in the services.conf file if you do not use the default which is the SnmpAlarmingService . To change for example to the SyslogAlarmingService you will need the following entry in the file:
alarming-service=com.addc.alarming.syslog.SyslogAlarmingService
As mentioned above, the SNMP service builds the PDUs using a default implementation of the ITrapPduGenerator that creates a PDU which conforms to the MIB shown at the bottom of this page. If you need to use a different MIB, you will have to implement the ITrapPduGenerator interface preferably by extending the ATrapPduGenerator class which supplies a set of utility methods for creating the varbinds and enter the name of the class in the services.conf file:
trap-generator=com.mycompany.alarming.snmp.MyTrapPduGenerator
Note that ATrapPduGenerator supplies a method to create the initialised Trap PDU which takes care of whether the Context is passive or not, if you want to code this yourself, you need to check what kind of Context is passed:
TrapPduv1 pdu;
if (context instanceof PassiveSnmpContext) {
pdu = new PassiveTrapPduv1((PassiveSnmpContext) context);
} else {
pdu = new TrapPduv1((SnmpContext) context);
}
To Obtain an Alarming Service instance, use the locator, this maintains a singleton instance of the Alarming Service which created the first time a request is made.
IAlarmingService alarming = AlarmingServiceFactory.getAlarmingService();
As with all the Service Locators in wadjet Libraries this will throw a RuntimeException if the service cannot be instantiated or initialised.
There are 2 ways of creating events for the alarming service:
ApplicationEvent event = alarming.createApplicationEvent(this,
myAppName,
Severity.CRITICAL,
message);
ApplicationEvent event = alarming.createApplicationEvent(SomeClass.class,
myAppName,
Severity.INFO,
message);
ApplicationEvent event = alarming.createApplicationEvent(sorceDescription,
myAppName,
Severity.WARNING,
message);
SecurityEvent trap = alarming.createSecurityEvent(principal,
actor,
sourceDescription,
Severity.CRITICAL,
message);
ApplicationEvent event = new ApplicationEvent(
this.getClass().getName(),
myAppName,
Severity.ERROR,
Community.DEFAULT,
message);
SecurityEvent event = new SecurityEvent(
principal,
actor,
sourceDescription,
Severity.CRITICAL,
Community.SECURITY,
message);
or
ApplicationEvent event = new ApplicationEvent();
event.setSource(this.getClass().getName());
event.setApplication(myAppName);
event.setSeverity(Severity.ERROR);
event.setMessage(message);
SecurityEvent event = new SecurityEvent();
event.setPrincipal(principal);
event.setActor(actor);
event.setSource(myAppName);
event.setSeverity(Severity.ERROR);
event.setMessage(message);
Each event type is sent using a different method, this is because often application events need to be sent to a different destination, community, syslog facility than security events.
To send an application event (example taken from the Audit code):
try {
dos = new DataOutputStream(new FileOutputStream(m_dumpFile, true));
for (Iterator<AuditEvent> iter = events.iterator(); iter.hasNext();) {
iter.next().write(dos);
}
} catch (Exception e) {
m_logger.fatal("Error persisting events", e);
IAlarmingService alarm = AlarmingServiceFactory.getAlarmingService();
ApplicationEvent event = alarm.createApplicationEvent(this,
"Auditor",
Severity.CRITICAL,
"Error persisting audit traces, possible loss of trail.");
alarm.sendApplicationEvent(event);
} finally {
...
To send a security event (also from the Audit code where there is a member containing the reference to the Alarming Service :
// event is an AuditEvent
if (raiseAlarm(event)) {
SecurityEvent alarm = null;
if (event.isAlarmCritical()) {
alarm = m_alarmService.createSecurityEvent(event.getOriginator(),
event.getActor(),
AUDIT_SOURCE,
Severity.CRITICAL,
event.getMessage());
} else {
AuditSeverity se = event.getSeverity();
Severity level = Severity.INFO;
if (se.equals(AuditSeverity.FAILURE)) {
level = Severity.CRITICAL;
} else if (se.equals(AuditSeverity.ERROR)) {
level = Severity.ERROR;
} else if (se.equals(AuditSeverity.WARNING)) {
level = Severity.WARNING;
}
alarm = m_alarmService.createSecurityEvent(event.getOriginator(),
event.getActor(),
AUDIT_SOURCE,
level,
event.getMessage());
}
m_alarmService.sendSecurityEvent(alarm);
}
The Wadjet-Alarming package supplies the following extension points:
You can create your won Alarming Service by extending the AAlarmingService class which supplies the default methods for creating events and other utility methods or by creating one by implementing the IAlarmingService interface directly if, for example, you want to change the ApplicationEvent and/or the SecurityEvent class.
You can then use your class by setting or adding the alarming-service property in the services.conf file to use your class.
You can create your own Trap PDU generator by extending the ATrapPduGenerator class or directly implementing the ITrapPduGenerator interface so you can use a different MIB.
You can then use your class by setting or adding the trap-generator property in the services.conf file to use your class.
You can create your own event formatter by implementing the IEventFormatter interface. You may want to do this if you extend one or both of the ApplicationEvent and/or SecurityEvent classes.
You can then use your class by setting or adding the event-formatter property in the services.conf file to use your class.
ALARMING-MIB DEFINITIONS ::= BEGIN
IMPORTS
Counter64
FROM SNMPv2-SMI
DisplayString
FROM SNMPv2-TC;
addc OBJECT IDENTIFIER ::= { iso org(3) dod(6) internet(1) private(4) enterprise(1) 19500 }
wadjet OBJECT IDENTIFIER ::= { addc 2 }
trapVars OBJECT IDENTIFIER ::= { wadjet 10 }
-- Application trap elements
trapTime OBJECT-TYPE
SYNTAX DisplayString (SIZE(23))
ACCESS read-only
STATUS mandatory
DESCRIPTION "The time when the trap was generated formatted according
to ISO8601 (yyyy-MM-dd HH:mm:ss.SSS)"
::= { trapVars 5 }
trapMsgId OBJECT-TYPE
SYNTAX Counter64
ACCESS read-only
STATUS mandatory
DESCRIPTION "An integer that indicates the trap's message id"
::= { trapVars 10 }
trapSeverity OBJECT-TYPE
SYNTAX DisplayString (SIZE(1..8))
ACCESS read-only
STATUS mandatory
DESCRIPTION "A string that indicates the severity of the trap's message,
this should be one of: INFO, WARNING, ERROR, CRITICAL"
::= { trapVars 15 }
trapServerName OBJECT-TYPE
SYNTAX DisplayString (SIZE(1..64))
ACCESS read-only
STATUS optional
DESCRIPTION "The name of the software server which generated the trap"
::= { trapVars 20 }
trapMachineName OBJECT-TYPE
SYNTAX DisplayString (SIZE(1..64))
ACCESS read-only
STATUS mandatory
DESCRIPTION "The name of the host from which the trap is sent"
::= { trapVars 25 }
trapSubsystem OBJECT-TYPE
SYNTAX DisplayString (SIZE(1..64))
ACCESS read-only
STATUS mandatory
DESCRIPTION "The name of the subsystem or module within the application
that generated the trap"
::= { trapVars 30 }
trapSource OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..128))
ACCESS read-only
STATUS mandatory
DESCRIPTION "The Source within a sub-system that generated the trap."
::= { trapVars 35 }
trapMessage OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "The body of the trap message."
::= { trapVars 40 }
-- Security trap elements
trapPrincipalToken OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "The Identity token of the originator."
::= { trapVars 100 }
trapActorToken OBJECT-TYPE
SYNTAX DisplayString
ACCESS read-only
STATUS mandatory
DESCRIPTION "The Identity token of the actor."
::= { trapVars 110 }
-- Security Trap Type definition
securityNotification TRAP-TYPE
ENTERPRISE addc
VARIABLES { trapTime, trapMsgId, trapSeverity,
trapServerName, trapMachineName,
trapSource, trapPrincipalToken,
trapActorToken, trapMessage }
DESCRIPTION "A Security alarm notification."
::= 40
-- Application Trap Type definition
applicationNotification TRAP-TYPE
ENTERPRISE addc
VARIABLES { trapTime, trapMsgId, trapSeverity,
trapServerName, trapMachineName,
trapSubsystem, trapSource,
trapMessage}
DESCRIPTION "An Application alarm notification."
::= 60
END