How to create alarms with the unknown SNMP devices traps?

Discussion created by CristianoP on Sep 29, 2011
Latest reply on Oct 20, 2011 by Roger_Nason

Like • Show 1 Like1
Comment • 14

Hi list!

I'm trying to create an alarm when a specific trap is received, from the unknown SNMP device.
This is one example of the messages that I have in OneClick (event), for event 0x10802:

Trap 6.20 received from unknown SNMP device with IP address 10.124.45.2 and SNMP community string 'prosnmp'. Trap identifier 1.3.6.1.4.1.12394.4.1.3.
Trap var bind data:
OID: 1.3.6.1.4.1.12394.1.1.14.4 Value: 2
OID: 1.3.6.1.4.1.12394.1.1.14.19 Value:
OID: 1.3.6.1.4.1.12394.1.1.14.9 Value: 24
OID: 1.3.6.1.4.1.12394.1.1.14.18 Value: 2300667

In event configuration, the event is 0x10802, I tried to create some event rules (event condition) that would generate some different alarms, based on IP, but I cant do it work :(
Somebody can explain how can i do it?

Regards!

Cristiano Pereira

Outcomes

14 Replies

johnstanton Sep 29, 2011 6:00 PM
Hello Cristiano!

What does the SpecRoot/custom/Events/EventDisp entry look like for this particular event now that you have added your event rule?

Another good tip for debugging custom Events: Edit your $SPECROOT/SS/.vnmrc file like this: Find the entry for event_disp_error_file=. Add a file name to this parameter. Whenever the Events are loaded into memory Spectrum will write debug output here if it encounters issues with any event mappings/configurations.

Can you describe what you are trying to achieve via the Event Condition rule?

Let me know on the questions and I'll see if I can help!

-->John
Like • Show 2 Likes2
Actions
- CristianoP @ johnstanton on Sep 29, 2011 7:24 PM
  Hi John,
  
  Thanks for the fast reply!
  
  In my EventDisp, I have it:
  
  0x10802 E 0 R CA.EventCondition, "(exists({A 172.28.100.105}))" , "0xfff00015 -:-"
  
  0xfff00015 E 0 A 3,0xfff00015
  
  I made a lot of combinations, note that I did not made the customization course yet ;)
  
  ---
  
  The situation is it:
  I have a restricted licence for the use of Spectrum. I can have 250 items in this tool. So, I'm sending traps from some servers that have systems and scripts that send some notifications. If I discover this object in Spectrum, adding the notifications in the mib and import/map it, the alarms works! But, I have to "burn" one licence only for it...
  
  My idea is send traps and make some filters (event rules), directing for customs events / alarms... After, can I put it into correlation domain, and these alarms can be visible to my NOC operators...
  
  What do you think?
  Like • Show 1 Like1
  Actions
  - johnstanton @ CristianoP on Sep 29, 2011 3:57 PM
    CristianoP wrote:
    Hi John,
    
    Thanks for the fast reply!
    
    In my EventDisp, I have it:
    
    0x10802 E 0 R CA.EventCondition, "(exists({A 172.28.100.105}))" , "0xfff00015 -:-"
    
    0xfff00015 E 0 A 3,0xfff00015
    
    I made a lot of combinations, note that I did not made the customization course yet ;)
    
    ---
    
    The situation is it:
    I have a restricted licence for the use of Spectrum. I can have 250 items in this tool. So, I'm sending traps from some servers that have systems and scripts that send some notifications. If I discover this object in Spectrum, adding the notifications in the mib and import/map it, the alarms works! But, I have to "burn" one licence only for it...
    
    My idea is send traps and make some filters (event rules), directing for customs events / alarms... After, can I put it into correlation domain, and these alarms can be visible to my NOC operators...
    
    What do you think?
    Cristiano,
    
    Based on this syntax,"(exists({A 172.28.100.105})), you would expect the following to occur: If Address 172.28.100.105 exists, then fire 0xfff00015.
    
    The Trap you indicated earlier has a source IP address of 10.124.45.2 and there are no varbinds which seem to provide this IP address either...
    
    Perhaps a quick review of the Event Configuration Users Guide may help fill in some blanks? I've attached it in case you don't have this doc handy. It's from 9.2.1.
    
    I apologize, but I don't quite understand what you are trying to accomplish. If you would like to provide some additional details, I'm willing to help.
    
    -->John
    Attachments
    Spectrum_Event_Configuration_User_ENU.pdf1.7 MB
    Like • Show 2 Likes2
    Actions
    - CristianoP @ johnstanton on Sep 29, 2011 4:14 PM
      john_stanton wrote:
      
      Hi John,
      
      Based on this syntax,"(exists({A 172.28.100.105})), you would expect the following to occur: If Address 172.28.100.105 exists, then fire 0xfff00015.
      
      The Trap you indicated earlier has a source IP address of 10.124.45.2 and there are no varbinds which seem to provide this IP address either...
      
      Perhaps a quick review of the Event Configuration Users Guide may help fill in some blanks? I've attached it in case you don't have this doc handy. It's from 9.2.1.
      
      I apologize, but I don't quite understand what you are trying to accomplish. If you would like to provide some additional details, I'm willing to help.
      
      -->John
      Yes John, it is the problem.
      When a trap with another source (like 10.124.45.2) is received, the event 0xfff00015 is fired... I read the user guide...
      I was thinking that I had made a mistake... But...
      
      Tomorrow I will revise all steps, thanks!!!
      
      PS.:excuse-me for some english errors ;)
      
      Regards!
      
      Cristiano Pereira
      Like • Show 0 Likes0
      Actions
      - CristianoP @ CristianoP on Sep 30, 2011 12:01 PM
        John,
        
        As I wrote before, any trap received (from any source add.) fires the alarm. I have attached a picture that shows what happens...
        
        I want to send traps from objects that i have no discovered, and based on these notifications, fire custom alarms...
        Attachments
        events.jpg43.5 KB
        Like • Show 0 Likes0
        Actions
        johnstanton @ CristianoP on Oct 3, 2011 12:07 PM
        Cristiano,
        
        If you would like to alarm against network devices which are not modeled/managed directly by Spectrum, but rather are being managed by an external 3rd party app, or is acting as a trap receiver/fowarder, this is best achieved via SouthBound Gateway.
        
        This functionality is provided for just these cases.
        
        You have a 3rd party app, which can forward either SNMP traps or pre-formatted XML files which is managing other entities you'd whose alerts you would like integrated into Spectrum's event/alarm management system.
        
        I think this may be a better alternative for what you are trying to achieve.
        
        Please review the doc regarding this functionality and let me know if you have additional questions.
        
        -->John
        Like • Show 1 Like1
        Actions
        CristianoP @ johnstanton on Oct 4, 2011 9:14 AM
        John,
        
        Correct me if I'm wrong.
        To use the Southbound Gateway, I need to create an object (EventAdmin). However, if I do it, I will burn one license right? Also, I need a developer ID to make this integration...
        
        I'll continue reading the documentation, but I still think I'm doing something wrong with the "event rule", should work well ... :sad
        
        Regards,
        Like • Show 0 Likes0
        Actions
        johnstanton @ CristianoP on Oct 4, 2011 9:34 AM
        Cristiano,
        
        You would indeed utilize 1 license for the Event Admin Model - but you need only one Event Admin model which can now represent many devices for which you would not consume licenses. There would be corresponding Event Model(s) created below this parent model. The parent model - The Event Admin model - represents the unique, external source of the alerts. The child model - the Event Model - represents each unique event generated by the external source.
        
        If the external source send a single trap containing any/all needed data, you would only need a single Event Model. You could utilize event rules/procedures to handle the events the Event Model generates.
        
        If you intend to bundle and export your complete SouthBound Gateway implementation for import another Landscape, then yes, you would need a Developer ID. If this is a standalone install and you will not need to export/import the SBGW implementation, a Developer Id is not needed.
        
        -->John
        Like • Show 2 Likes2
        Actions
        CristianoP @ johnstanton on Oct 4, 2011 7:59 PM
        OK!
        
        I'll read the documentation and keep you informed.
        
        Again, thank you!
        Like • Show 0 Likes0
        Actions
        CristianoP @ johnstanton on Oct 6, 2011 1:53 PM
        John,
        
        I opened an issue at CA, and we are working on it... I made the chapter 7 demonstration (Southbound Gateway toolkit Guide - 5066), but I have the same doubt: how to treat more than one source of traps.
        
        I think that I have not made myself clear...
        I have 35 equipaments that send traps to Spectrum. When I use the Southbound Gateway, I have to use one licence for EventAdmin... Ok It works for one equipament... But how can I create the others? Have I use one licence for each one? Is it necessary the creation of 35 EventAdmin with differents IP Address?
        
        Regards,
        
        Cristiano Pereira
        Like • Show 0 Likes0
        Actions
        johnstanton @ CristianoP on Oct 6, 2011 3:00 PM
        Hello Cristiano,
        
        Ok. This clarifies things better. You are correct. For EACH source of traps be directed to Spectrum you would need an Event Admin model, and the subsequent Event Model(s) below it.
        
        This WOULD require you to use one license/Event Admin model...
        
        It may be 35 licenses needed, but you may be able to integrate events from MANY devices these systems are forwarding alerts for, yuh?
        
        -->John
        Like • Show 0 Likes0
        Actions
        CristianoP @ johnstanton on Oct 6, 2011 3:38 PM
        OK.
        
        Ok. With this idea, I come back to the original problem. How to treat traps from different sources, burning only one licence, or with no licence?
        
        I was thinking that as the traps are received, with unknown object (in VNM), could i treat them...
        With this workaround, can I manage traps (from unknown elements), matching IP Address or message (OID values) to create others events / alarms...
        Like • Show 0 Likes0
        Actions
        Christoph_Kessler @ CristianoP on Oct 18, 2011 5:05 PM
        Why you don't use Pingables?
        
        As far as I know a Pingable doesn't need a license in the Device-based licensing.
        Like • Show 1 Like1
        Actions
        Roger_Nason @ Christoph_Kessler on Oct 20, 2011 3:19 PM
        I agree. It seems that using Pingables would resolve this for you. A pingable model doesn't affect the device count and you can set up Spectrum to process traps on a Pingable. -Roger
        Like • Show 1 Like1
        Actions

How to create alarms with the unknown SNMP devices traps?

Outcomes

Attachments

Attachments

Related Content

Recommended Content