Device restarted (uptime low)-juniper-junos
Indeni will alert when a device has restarted.
Determine why the device was restarted.
How does this work?
This script logs into the Juniper JUNOS-based device using SSH and retrieves the output of the “show system uptime” command. The output includes the device’s uptime as well as additional information.
Why is this important?
Capture the uptime of the device. If the uptime is lower than the previous sample, the device must have reloaded.
Without Indeni how would you find this?
It is possible to poll this data through SNMP or capture a syslog/trap event of a device booting up.
name: junos-show-system-uptime description: Fetches system uptime type: monitoring monitoring_interval: 5 minute requires: vendor: juniper os.name: junos high-availability: neq: 'true' comments: uptime-milliseconds: why: | Capture the uptime of the device. If the uptime is lower than the previous sample, the device must have reloaded. how: | This script logs into the Juniper JUNOS-based device using SSH and retrieves the output of the "show system uptime" command. The output includes the device's uptime as well as additional information. can-with-snmp: true can-with-syslog: true current-datetime: why: | Capture the current date and time of the device. Device current date and time should never be more than 24 hours away from date and time of the device polling the data, otherwise date and time are not correctly set on device. how: | This script logs into the Juniper JUNOS-based device using SSH and retrieves the current time using the output of the "show system uptime" command. The output includes the device's current date and time as well as configured time zone. can-with-snmp: true can-with-syslog: false timezone: why: | Capture the current time zone of the device. The time zone information is useful for display purposes. how: | This script logs into the Juniper JUNOS-based device using SSH and retrieves the configured time zone using the output of the "show system uptime" command. The output includes the device's current date and time as well as configured time zone. can-with-snmp: false can-with-syslog: false steps: - run: type: SSH command: show system uptime | display xml parse: type: XML file: show-system-uptime.parser.1.xml.yaml
// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead. package com.indeni.server.rules.library.templatebased.crossvendor import com.indeni.apidata.time.TimeSpan import com.indeni.apidata.time.TimeSpan.TimePeriod import com.indeni.server.common.data.conditions.Equals import com.indeni.server.rules.RuleContext import com.indeni.server.rules.library.templates.TimeIntervalThresholdOnDoubleMetricTemplateRule import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity import com.indeni.server.rules.ThresholdDirection import com.indeni.server.rules.RemediationStepCondition case class cross_vendor_uptime_low() extends TimeIntervalThresholdOnDoubleMetricTemplateRule( ruleName = "cross_vendor_uptime_low", ruleFriendlyName = "All Devices (Non-VSX): Device restarted (uptime low)", ruleDescription = "Indeni will alert when a device has restarted.", severity = AlertSeverity.CRITICAL, metricName = "uptime-milliseconds", threshold = TimeSpan.fromMinutes(60), metricUnits = TimePeriod.MILLISECOND, thresholdDirection = ThresholdDirection.BELOW, alertDescriptionFormat = "The current uptime is %.0f seconds which seems to indicate the device has restarted.", alertDescriptionValueUnits = TimePeriod.SECOND, baseRemediationText = "Determine why the device was restarted.", metaCondition = !Equals("vsx", "true") )( RemediationStepCondition.VENDOR_CISCO -> """| |1. Use the "show version" or "show system reset-reason" NX-OS commands to display the reason for the reload. |2. Use the "show cores" command to determine if a core file was recorded during the unexpected reboot. |3. Run the "show process log" command to display the processes and if a core was created. |4. With the show logging command, review the events that happened close to the time of reboot.""".stripMargin, RemediationStepCondition.VENDOR_FORTINET -> """ |1. Watch the system reboot time. |2. Review the log messages and focus on error messages that were generated at least 5 minutes prior to system reboot, especially before unexpected system reboot. |3. Verify the status of the scheduled restart command to making sure it's an irregular restart | - config sys global | - get | grep restart | - end |4. Login via ssh to the Fortinet firewall and review the crash log in a readable format by using the FortiOS command “diag debug crashlog read”. |5. Contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.""".stripMargin )