[rt-devel] IP tracking in RTIR
Damian Gerow
freebsd at coal.sentex.ca
Wed Dec 3 13:38:35 EST 2003
Thus spake Security (security at ddiction.com) [02/12/03 22:19]:
> What I'm wondering is if anyone out there has already put together any
> kind of pre-filtering system/scrip/module that parses inbound email
> (either before it hits RT or as it's queued) for the reported IP.
>
> What I envision is a module of some kind that parses 'tagged' types of
> email such as mynetwatchman and then checks RT/IR to see if there is an
> existing ticket referencing the IP (custom field). If the ticket exists
> it will then be merged into that ticket. No match, new ticket.
I think you mean:
If a matching ticket is found, the current inbound complaint will be
grafted as a child of the open incident. No match, new ticket.
if we're going to follow the RTIR way of doing things.
> Anyone out there have something like this in place or in the works? I'd
> rather not have to try and re-invent where it's not necessary and as I
> mentioned above... I'm not much of a coder.
I'd actually started on this some time ago, but quickly came to the
realization that the approach is broken: dynamic IP assignments.
Since setting up RTIR, I have gotten two complaints that referenced IP
addresses for current Investigations. However, each of those two did *not*
actually map to that investigation, as a different userid was signed on to
that IP address at the time of the complaint.
Instead, what I'd like to do, is generate links within the ticket body for
IP addresses found, that can take me to my RADIUS log lookup page. And
include the date range around the time of the complaint only (so I'm not
looking at a months worth of RADIUS logs).
That approach might actually be a little bit easier, I just haven't done it
yet.
- Damian
More information about the Rt-devel
mailing list