DX NetOps

Hi Team,

I have integrated CA Spectrum with third party tool using southbound gateway it is successfully integrated but machine under Dummy model (EventAdmin model) present with IP Address not with Host name. My Concern is why these are not showing hostname. Actually I want the hostname to be appear not IP. Please suggest me some idea.

Thanks & Regards,

Mudit

I guess this is the default behaviour 

When traps are forwarded from devices via a 3rd party management system to Spectrum, the EventAdmin model representing the management system will create new Eventmodel models in Spectrum based on the ip addresses of the traps, if these ip addresses do not correspond to a model already in Spectrum. This is the standard default behaviour.

Not sure if spectrum can do a name resolution of these models and assign a Hostname by default

You might need to manually update the hostname for these models 

https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC1344513.html 

Are you using variable ID 7 (Target Hostname, Case-Sensitive) or variable ID 16 (Target Hostname, case insensitive)?  If you are only using variable ID 8 (IP Address) then that's probably why they are being created with the IP...

Is it the EventAdmin model or the Event model that has the ip address? If the EventAdmin model, the model name is assigned at model creation by the user. If it is the Event model located within the EventAdmin model, the model name is assigned based on the SBG configuration. Specifically by what variables are used for the Event Data Template fields. 

Reference The Event Data Template - CA Spectrum - 10.1 to 10.1.2 - CA Technologies Documentation 

Joe

Show the EventDisp file and I will tell you whats wrong.

Hi Team,

Thanks for your concern.

Below is an AlertMap file (Location: win32app\Spectrum\SS\CsVendor\gen_app_gw\EventAdmin) which i have updated  in the default AlertMap file of Spectrum and not created new file, is it Ok? Is there any other file also which needs to be updated other than this one?

# applianceOffline                                            systemHostId
1.3.6.1.4.1.21091.6.1.6.1         0xfff00000 \ 1.3.6.1.4.1.21091.1.1.4(1,0)\
                                                                     1.3.6.1.2.1.1.5(1,0)

# applianceOnline                                           systemHostId
1.3.6.1.4.1.21091.6.1.6.2          0xfff00001 \ 1.3.6.1.4.1.21091.1.1.4(1,0)\
                                                                      1.3.6.1.2.1.1.5(1,0)

# cpuUtilHigh
1.3.6.1.4.1.21091.5.0.1            0xfff00002    1.3.6.1.2.1.1.5(1,0)

# memoryPaging
1.3.6.1.4.1.21091.5.0.3            0xfff00003    1.3.6.1.2.1.1.5(1,0)

# bridgeLink
1.3.6.1.4.1.21091.5.0.9            0xfff00004    1.3.6.1.2.1.1.5(1,0)

# Southbound Gateway
1.3.6.1.4.1.1850.6.1                 0x5990001   1.3.6.1.4.1.1850.1.0.0.1(1,0)

Thanks & Regards,

Mudit

And I noticed now that the two first trapmappings map OID's to same variable.

# applianceOffline                                            systemHostId
1.3.6.1.4.1.21091.6.1.6.1         0xfff00000 \ 1.3.6.1.4.1.21091.1.1.4(1,0)\
                                                                     1.3.6.1.2.1.1.5(1,0)

Thats a fault. Probably why its not working.

it should be either:

# applianceOffline                                            systemHostId
1.3.6.1.4.1.21091.6.1.6.1         0xfff00000      1.3.6.1.4.1.21091.1.1.4(1,0)

# applianceOnline                                           systemHostId
1.3.6.1.4.1.21091.6.1.6.2          0xfff00001     1.3.6.1.4.1.21091.1.1.4(1,0)

or this:

# applianceOffline                                            systemHostId
1.3.6.1.4.1.21091.6.1.6.1         0xfff00000       1.3.6.1.2.1.1.5(1,0)

# applianceOnline                                           systemHostId
1.3.6.1.4.1.21091.6.1.6.2          0xfff00001      1.3.6.1.2.1.1.5(1,0)

Its OK to update this file directly, but beware of typos.

OK, you use variable 1, which mean an EventModel will be created using the supplied variable as source. In your case this variable obviously contain the ipadress. And spectrum create EventModels with ipadress as name without knowing its the ipadress. So, instead you should map the name of the device to this variable.

I read your first question again to try to understand what you are trying todo. 

Correct me if I'm wrong: "You have a third party monitoring system that sends traps to Spectrum where a variable contains the IPadress of a monitoried device. And you want the device name to be on the EventModel" ?

Southbound GW does not work that way. What you can do is to map the ipadress to variable 8, this will make Spectrum put the event/alarm onto a model that has this ipadress. If no exist, you will get an alarm on the EventAdmin model telling you that there is no model with this ip. 

So to solve your case you could:

Import all devices into Spectrum as pingables with correct name and ips and use variable 8.

or

you make sure the third party tool forwards the name as a variable, and you map this to variable 1 which will autocreate a EventModel with this name.

or

you map the name to variable 16, which will make Spectrum search for a model with the name and place the event/alarm on it. It not found and alarm will be created on the EventAdmin model telling you that such model does not exist.

Importing devices as pingables is a bad idea if Spectrum does not reach the devices, then its better to create EventModels and make sure the Network adress attribute is set to the IPadress. Then mapping to var 8 would work using southboundGW

Hi RoberthEdbergh,

Thanks for your suggestions.

Yes, you are correct. I have already tried which you have suggested above in or & either case but this also not works. In Content pane Alarms tab under name section it shows as ***_IP (*** name prefix which was given during EventModel ceation). Also please Clear my one confusion using variable IDs. I am using variable id (1,0) what is that 1 means, some of them mentioned above that for hostname use variable 16 & for IP Address use 8 but i haven't use 8 then how it came with IP Address. what are the parameters by which it reflects IP. Should i use (16,0) instead of (1,0).

Thanks & Regards,

Mudit Singh

Spectrum wont map ip to name, if the device isn't already modelled in Spectrum. In the case you already have a model with the correct IP a attribute "NetworkAdress", then you could map (16,0) - which i described above. But if this model (Could be a EventModel, Pingable or whatever) does not exist, you will get a EventAdmin alarm telling you that there is no such model.

If you use (1,0), a Eventmodel with the name supplied through the OID variable will be created, which in your case is the IP. Therefor you will end up in models with ipadress as name.

if the above options does not serve you well, then you must do something before the trap is received by Spectrum. Either on the sending tool side or inbetween. Inbetween you can use TrapExploader wich can receive traps and do stuff before forwarding the trap to Spectrum. I don't remember if TrapExploader is free or not. Its a CA product.

Hi RoberthEdberg,

Thanks for your wonderful explanation.

Sorry for the late reply, I was busy somewhere. I got sysname in component window using your above suggestion i.e. use only one OID with variable ID (1,0). Is it possible that System name & IP Address will appear in System name & Network Address column under content pane. Please find the below screnshot for the same.

Thanks & Regards,

Mudit

Not the way you use the SB Gateway. System Name is an external attribute, so for this will only be used IF you model devices as snmp models. In your screenshot I can se that all your alarms end up om EventAdmin model. This mean you have configured the SB Gateway wrong. Each thirdparty monitored devicealarm should end up on a EventModel.

What is the eventcode for this specific alarm (in the screenshot) and do this exist in the EventDisp under EventAdmin?

/R

I have reworked and all Alarms are under EventModels of Southbound gateway integration. Event Code exists in Event Disp as following:

0xfff00000 E 20 A 3,0xfff00000

#where E stands for Events to be generated, 20 defines the severity, A means the events to be converted to Alarm and 3 is severity of Alarm
0xfff00001 E 20 A 0,0xfff00001
0xfff00002 E 20 A 3,0xfff00002
0xfff00003 E 20 A 3,0xfff00003
0xfff00004 E 20 A 3,0xfff00004

Event Configuration used is as per following:

A "applianceOffline" event has occurred, from {t} device, named {m}.

Monitored appliance halted, crashed, or became otherwise unresponsive.

sysname = {S 16}

snmpTrapAddress = {S 8}

systemhostid={S 10}

It is helping to get the above information under Alarms Message under Components Details Page. However, we are not getting the information under Contents Page of CA Spectrum. 

I have set 'map_traps_to_this_model_using_IP_header' to 'Yes' under Event_Admin model, if I disable this attribute,  I do not get any Events/Alarms generated for Southbound gateway model and all events go to VNM only.

I am still looking for the way to get the HostName under Contents page. Host Name contains the internal unique IDs used to identify the device, so Host Name is more important. Can you advise me how I can get the Event Model to be generated using prefix_Host-name (desired solution) instead of prefix_IP-Address (current situation). 

It would be nice to have IP Address under Network Address section of Contents page.

I am wondering whether it is feasible or not using southbound gateway or not?

Is it necessary to have direct polling using SNMP this information?

It seem like you messed it up, a lot...

Lets start from zero....

CsVendor\gen_app_gw\EventAdmin\EventDisp should ONLY include:

0xfff00000

0xfff00001
0xfff00002
0xfff00003
0xfff00004

As you do NOT wan't events/alarms on the EventAdmin model. This tells Spectrum to enable Southbound GW logics.

CsVendor\gen_app_gw\EventDisp should include:

0xfff00000 E 20 A 3,0xfff00000
0xfff00001 E 20 A 0,0xfff00001
0xfff00002 E 20 A 3,0xfff00002
0xfff00003 E 20 A 3,0xfff00003
0xfff00004 E 20 A 3,0xfff00004

This make sure events/alarms are processed on the Eventmodel.

Next thing is to map sysname to Eventmodel name. I see a problem here. Looking at your eventmessage for event 0xfff00000, I can see that you want to display three variables 16, 8, 10. But...

A "applianceOffline" event has occurred, from {t} device, named {m}.

Monitored appliance halted, crashed, or became otherwise unresponsive.

sysname = {S 16}

snmpTrapAddress = {S 8}

systemhostid={S 10}

...looking in your CsVendor\gen_app_gw\EventAdmin\AlertMap (which should be CsVendor\gen_app_gw\AlertMap) for this event:

# applianceOffline                                            systemHostId
1.3.6.1.4.1.21091.6.1.6.1         0xfff00000 \ 1.3.6.1.4.1.21091.1.1.4(1,0)\
                                                                     1.3.6.1.2.1.1.5(1,0)

You only map parse variable 1 from the actual snmptrap and this mapping is bad syntax, as you map two different OID's to one variable 1.3.6.1.4.1.21091.1.1.4 & 1.3.6.1.2.1.1.5 -> variable 1.

So things are very wrong to start with. But, as soon as you understand how this works, you will like it.

So to restart from zero, let me have a look at Spectrum unknown trap event. Remove your AlertMap where the snmptrap mapping exist (CsVendor\gen_app_gw\EventAdmin\AlertMap) restart Spectrum (or reload eventConfig) and make your other system snmptrap. Then you should get "UNKNOWN SNMPTRAP RECEIVED or SNMPTRAP RECEIVED FROM UNKNOWN HOST" on your EventAdmin model and VNM that looks something like the below. Copy that information as reply here, so I can have a look at it.

Unknown alert received from device *** of type Pingable. Device Time 440+19:32:40. (Trap type 1.3.6.1.4.1.232.6.136034271)

Trap var bind data:
OID: 1.3.6.1.4.1.232.136.1.1.4 Value: xxxx
OID: 1.3.6.1.4.1.232.136.1.3.1.2.1.12 Value: xxxx
OID: 1.3.6.1.4.1.232.136.1.1.7.1.3 Value: xxxx
OID: 1.3.6.1.4.1.232.136.1.1.7.1.6 Value: xxxx

Hello Robert,

I followed yours explanations and here i am

What next ?

Thank you ;-)

OK, good! I see that you control the contents of the variables aswell, thats really good. This mean you have a good posibility to create a really good integration. Next thing is to populate these variables with hostname, eventmessage, severity (if exist) and more that you think is needed from the third party monitoring. This is configured on the trapsending side, so do this first and then upload a new screenshot, like the one you uploaded now, were we can see the variables that we will use for the southbound integration.

/Roberth

Hello Roberth,

First, Thank you for your help.

To test, i would like to start with theses 3 varaibles if it's possible.

1.3.6.1.4.1.1850.1.0.0.7 hostname

1.3.6.1.4.1.1850.1.0.0.13 IP Address

1.3.6.1.4.1.1850.1.0.0.17 Event Message

...

Thank you

OK, Thats simple to fix. I'm on vacation this week. But I will help you out next week.

It would be nice if you also could forward severity (info, warning, critical) if it exist, so we can map this dynamicly AND also if there is a clear event, then we could make Spectrum clear alarm auutomaticly.

First of all, thank you for your help, really For the time you passed to answer me.
If we arrive at the end of the subject, I shall make a clear and precise comment so that that serves to all.
Severity is an integer.

Have a good holiday ;-)

1.3.6.1.4.1.1850.1.0.0.7 hostname

1.3.6.1.4.1.1850.1.0.0.13 IP Address

1.3.6.1.4.1.1850.1.0.0.17 Event Message

1.3.6.1.4.1.1850.1.0.0.18 severity (0 clear) (1 info) (4 major) (5 critical)

custom\gen_app_gw\AlertMap entry for this specific trap:

1.3.6.1.4.1.21091.6.1.6.1 0xfff000?? \
1.3.6.1.4.1.1850.1.0.0.7(1,0)\
1.3.6.1.4.1.1850.1.0.0.13(13,0)\

1.3.6.1.4.1.1850.1.0.0.17(101,0)\
1.3.6.1.4.1.1850.1.0.0.18(102,0)

custom\gen_app_gw\EventDisp entry for this specific event:

0xfff000?? E 20

custom\gen_app_gw\EventAdmin\EventDisp entry for this specific event:

0xfff000??

Create an Eventmessage that contain {S 1}, {S 13}, {S 101}, {S 102}

Then send the trap. We haven't configured any alarm yet, but the above should create a eventmodel within in the EventAdmin container with the hostname as modelname. The event will be presented on this model.

Try this and reportback. We map it to an alarm after this works.

/Roberth

Replace 0xfff000?? with correct event id.

Hello Robert,

Here I am :

I restarted the Spectro Servers and I sent a trap on the EventAdmin Model.

Hmmm.. "Unknown alert", this mean the AlertMap didn't work.

Change Alertmap to below (took away .6), restart spectroserver (or reload eventconfig) and try again:

1.3.6.1.4.1.1850.1 0xffff2000 1.3.6.1.4.1.1850.1.0.0.7(1,0)\
                                               1.3.6.1.4.1.1850.1.0.0.13(13,0)\
                                               1.3.6.1.4.1.1850.1.0.0.17(101,0)\
                                               1.3.6.1.4.1.1850.1.0.0.18(102,0)

Robert, Thanks for your reply.

Sorry I did not mention AlertMap file and both EventDisp files (EventAdmin and Event Model) entries description of configuration in my last message. I have already configured both EventDisp files from EventAdmin and EventModel in the same manner as you described, also mentioned in southbound gateway documentation. 

CsVendor\gen_app_gw\EventAdmin\EventDisp include the following:

0xfff00000

0xfff00001
0xfff00002
0xfff00003
0xfff00004

CsVendor\gen_app_gw\EventDisp include the following:

0xfff00000 E 20 A 3,0xfff00000
0xfff00001 E 20 A 0,0xfff00001
0xfff00002 E 20 A 3,0xfff00002
0xfff00003 E 20 A 3,0xfff00003
0xfff00004 E 20 A 3,0xfff00004

Please be assured that neither AlertMap variable are set to Variable 1 nor two OIDs are set to single variable. I had updated differnet varaible to different OID by taking reference from existing configurations. AlertMap file include the following:

# applianceOffline systemHostId
1.3.6.1.4.1.21091.6.1.6.1 0xfff00000 \
1.3.6.1.2.1.1.5(16,0)\
1.3.6.1.6.3.18.1.3(8,0)\
1.3.6.1.4.1.21091.1.1.4(10,0)

# applianceOnline systemHostId
1.3.6.1.4.1.21091.6.1.6.2 0xfff00001 \
1.3.6.1.2.1.1.5(16,0)\
1.3.6.1.6.3.18.1.3(8,0)\
1.3.6.1.4.1.21091.1.1.4(10,0)

# memoryPaging systemHostId
1.3.6.1.4.1.21091.5.0.3 0xfff00002 \
1.3.6.1.2.1.1.5(16,0)\
1.3.6.1.6.3.18.1.3(8,0)\
1.3.6.1.4.1.21091.1.1.4(10,0)

# cpuUtilHigh systemHostId
1.3.6.1.4.1.21091.5.0.1 0xfff00003 \
1.3.6.1.2.1.1.5(16,0)\
1.3.6.1.6.3.18.1.3(8,0)\
1.3.6.1.4.1.21091.1.1.4(10,0)

# bridgeLink systemHostId
1.3.6.1.4.1.21091.5.0.9 0xfff00004 \
1.3.6.1.2.1.1.5(16,0)\
1.3.6.1.6.3.18.1.3(8,0)\
1.3.6.1.4.1.21091.1.1.4(10,0)

I am successfully getting values of variables (16, 8, 10) under Component Details by using following Event Configuration Settings:

sysname = {S 16}

snmpTrapAddress = {S 8}

systemhostid={S 10}

I will delete AlertMap file and I will provide you information about unknown Traps

I will delete AlertMap file as you suggested and will share unknown Traps with you ASAP after reaching office tomorrow.