Event Codes and Allowed Variables

Whenever an event takes place on the Endian Appliance, log messages are written to the log files, which can be parsed to extract some valuable information. These data can be used within a script that processes them and produces a suitable output. Simple cases include -but are not limited to- writing a file containing the username and IP address of a user connecting via SSH or stopping a service when an uplink goes offline.

Variables Available Per Event

Each variable corresponds to a particular part of the Endian Appliance’s configuration.

Event: 10100011 - One device of the RAID array failed.

Variables:

• DEVICE: Contain the name of a device, i.e., a hard disk or a partition. Example: /dev/hda1, /dev/dm-3.

Event: 10100026 - The rebuild of RAID array has completed.

Variables:

• RAID: The name of a partition that is interested by a RAID event. It can be either the name of a partition underlying the RAID, like e.g., /dev/sdb1, or the name of a partition served by the RAID, like e.g., md0.

Event: 10100038 - Start recovery of RAID array.

Variables:

• RAID: The name of a partition that is interested by a RAID event. It can be either the name of a partition underlying the RAID, like e.g., /dev/sdb1, or the name of a partition served by the RAID, like e.g., md0.

Event: 20100016 - One uplink has gone online.

Variables:

• UPLINK: The name of an uplink.

Event: 20100024 One uplink has gone offline.

Variables:

• UPLINK: The name of an uplink.

Event: 20100036 - The system has started.

Variables:

• None

Event: 20100044 - The system has shut down.

Variables:

• None

Event: 20100054 - The system is rebooting.

Variables:

• None

Event: 20110030 - All uplinks have gone offline.

Variables:

• None

Event: 20110046 - All uplinks are online.

Variables:

• None

Event: 20110054 - An uplink is dead.

Variables:

• UPLINK: The name of an uplink.

Event: 20110066 - An Uplink turned back alive.

Variables:

• UPLINK: The name of an uplink.

Event: 20200018 - An SSH user has successfully logged in from a remote location.

Variables:

• REMOTEIP: The IP address of a client connecting to the appliance.
• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 20200024 - An SSH user failed to log in from a remote location.

Variables:

• REMOTEIP: The IP address of a client connecting to the appliance.
• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 20300014 - A disk is getting full.

Variables:

• DEVICE: Contain the name of a device, i.e., a hard disk or a partition. Example: /dev/hda1, /dev/dm-3.
• WATERMARK: The percentage of the disk space occupied by data, for example 85%.

Event: 20400014 - An user has failed to log in to the management interface.

Variables:

• REMOTEIP: The IP address of a client connecting to the appliance.
• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 20500018 - SMS credit alert: only ... SMS left

Variables:

• None

Event: 20500028 - SMS credit alert: no SMS left

Variables:

• NUMBER: The number of SMS remaining.

Event: 20600018 - Digital Input Rising Trigger on an input

Variables:

• None

Event: 20600028 - Digital Input Falling Trigger on an input

Variables:

• None

Event: 20700018 - OpenVPN client opened tunnel on an interface

Variables:

• INTERFACE: The name of an interface through which the Appliance connects to a remote OpenVPN server, like tap0 or tun1.

Event: 20700028 - OpenVPN client closed tunnel on an interface

Variables:

• INTERFACE: The name of an interface through which the Appliance connects to a remote OpenVPN server, like tap0 or tun1.

Event: 20800014 - An OpenVPN user failed a login failed

Variables:

• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 20800024 - An IPsec/Xauth use failed to login

Variables:

• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 20800034 - An L2TP user failed to login

Variables:

• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 20800048 - An Open VPN user has logged in successfully

Variables:

• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 20800058 - An IPsec/Xauth user has logged in successfully

Variables:

• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 20800068 - An L2TP user has logged in successfully

Variables:

• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 20800078 - An Openvpn user has logged out

Variables:

• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 20800088 - An IPsec/Xauth user has logged out

Variables:

• USER: The username supplied by a remote client when connecting to the Endian Appliance.

Event: 30100018 - The system upgrade has completed successfully.

Variables:

• None

Event: 30100021 - The system upgrade has failed.

Variables:

• None

Event: 30100038 - There are system updates available.

Variables:

• None

Event: 40100016 - The remote access to support user has been revoked.

Variables:

• None

Event: 40100024 - The Remote access to support users has been granted.

Variables:

• None

Event: 40100034 - The access for support user has been extended until ...

Variables:

• UNTIL: The date until the access has been granted to the support team.

How to Use Variables

Within a script, values extracted from the log files can be used to decide whether an action should be taken or not.

Suppose that whenever a user fails to connect to the management interface, the script should save in a file the IP address from which the connection originates and the username used.

By looking at the list of events shown in the previous section, the event that should be taken into account in this scenario has ID 20400014 and provides two variables, namely USER and REMOTEIP. The values associated with those two variables are extracted by the log messages and passed to the script as a dictionary, for example:

{
  'USER': 'john',
  'REMOTEIP': '123.45.67.89'
}

Whenever a script is associated to event 20400014, these values are passed to the script and can be used. To write the failed log attempt in file /var/log/failed_HTTP_logins.txt, the code may look like:

class ScriptEvent(object):
  def __init__(self):
     self.filename = "/var/log/failed_HTTP_logins.txt"

  def process(self, **kwargs):
     f = open(self.filename, "a")
     f.write("User %s failed to log in from IP %s" % (kwargs['USER'], kwargs['REMOTEIP']))
     f.close()

After the script has been carried out, the file will contain the following line:

root@efw-yocto:~ # cat /var/log/failed_HTTP_logins.txt
User john failed to log in from IP 123.45.67.89