# heartbeat-server.bro
# Listen for remote heartbeat events
# $Id: server-heartbeat.bro,v 1.5 2006/02/03 18:31:48 tierney Exp $

# To use this analyzer, be sure to redef Remote::destinations 
# and probably mail_dest too.

# start listening for remote hosts
@load listen-clear

# how long till 'lost' messages are genterated
global max_timeout = 30 min &redef;

#################################################
# shouldn't need to modifiy anything below here #
#################################################
# setup our Notice type
redef enum Notice += { LostHeartBeat } ;

# function called when a monitored stream times-out
global lost_heartbeat:
        function(t: table[string] of event_peer, idx: string) : interval;

# table holding who we are monitoring (cache peer for use in notice)
global heartbeats : table[string] of event_peer &write_expire = max_timeout &expire_func = lost_heartbeat;

# send email if we expire an entry in the table
function lost_heartbeat(t: table[string] of event_peer, idx: string): interval
{
    NOTICE([$note=LostHeartBeat, $src_peer=heartbeats[idx], 
    	$msg=fmt("Lost heartbeat from %s", idx) ]);
    return 0 sec;
}
# update table that we recieved a msg
event heartbeat_event( ts:double, orig_h:addr, info:string )
    {
    local hb_peer = get_event_peer();
    local hb_host = fmt("%s", hb_peer$host);

    print fmt("got heartbeat from %s", orig_h) ;

    # use this one if you want to be notified if the service
    # went down and came back up on a differnt port
    #local hb_host = fmt("%s:%s", hb_peer$host, hb_peer$p);
    heartbeats[hb_host] = hb_peer;

    }