This post is more than 5 years old
21 Posts
0
2462
Question on SRM trap alert
Dear Experts,
From documents we know that SRM can receive trap from device and list it in report, is there any guide on how to customize?
This post is more than 5 years old
21 Posts
0
2462
Dear Experts,
From documents we know that SRM can receive trap from device and list it in report, is there any guide on how to customize?
Top
isakats
141 Posts
0
March 23rd, 2017 06:00
Hi Jianping.Wang,
By default traps are received by the Trap-Receiver that runs in the Event-Processing-Manager for Alert-Consolidation, the traps are then sent to Event-Log-Processor and go trough the configurations in the rules directory to get parsed and formatted into SRM events. You will probably need to create a custom rule for the source of the events that you want to add. You can look at the existing rules for examples and refer to the APG-Event-Log-Processor.pdf for more details on functionality.
hth,
Regards,
Isaka
Jianping_Wang
21 Posts
0
March 23rd, 2017 01:00
In alert definition module, I did following steps:
1. Defined a "Filtered entry" node with "*", and link it to "SNMP Trap" node.
2. Configure "SNMP Trap" node as:
Host localhost
Port 2041
Community public
Generic ID: 6
Enterprise specific ID: 1
Trap content:
An PROP.'eventstate' alert has been received with the following attributes:
Message: PROP.'fullmsg'
Device: PROP.'device'
Device Type: PROP.'devtype'
Severity: PROP.'severity'
Source: PROP.'Source'
Source IP: PROP.'sourceip'
Part Type: PROP.'parttype'
Part: PROP.'part'
Category: PROP.'category'
3. Enable this definition.
After sent test trap to SRM, I can see the alert message with following detials:
Severity: UNKNOWN
Device type: consult the site administrator
Device name: long text that totally same as Trap content I defined in "SNMP Trap" node.
Caregory: empty
Object type: empty
Object: empty
Event id: 640XXXXXXXXXXXXXXXX
Event: empty
Source: null-GenericEvent
Source ip address: 127.0.0.1
Source domain name: empty
Source event type: empty
Full message: empty
As my understanding, the trap attributes should be transferred into event attributes, may I know how?
Jianping_Wang
21 Posts
0
March 28th, 2017 05:00
Hi Isaka,
I'm very close to success now, after configure I can see my trap listed in "processing-0-18.log", but while use filter "*" to print out it to log file, I still see: "PROP.'device',PROP.'devtype',PROP.'part',PROP.'parttype',DURABLE,PROP.'severity',PROP.'severity',PROP.'value'"
May I know why it is not converted?
Another question, may I know the rule to filter out trap event from report, which attribute and keyword should be used?
isakats
141 Posts
0
March 29th, 2017 05:00
Hi Jianping.Wang,
The PROP. cant be translated as traps do not contain these properties; these properties are are only available for time series (metrics that we can poll at a regular interval and graph). Events such as traps have their own set of properties; you can look at the "Alert consolidation notification trap" alert (right click from the "Alerts definition" list and choose edit) for a listing of properties.
For reporting on events we different properties such as severity, source and variable; variable is a database name so that we automatically exclude all time series data and only display events. You can look at the reports under the All>>Operations>>Alerts branch for examples.
regards,
Isaka
Jianping_Wang
21 Posts
0
March 30th, 2017 04:00
Hi Isaka,
I copied the "Trap Content" definition from "Alert Consolidation Trap Notification", this also not work.
I can see trap info in "processing-*-*.log", but both "eventSource is ImpactAnalysis-GenericEvent" and "eventSource is not ImpactAnalysis-GenericEvent" cannot filter it out. As my understanding, when trap arrive, it will be converted according to the XML under "Event-Processing\Trap-Receiver\Default\conf\rules", then goto "alert definitions" to trigger action.
May I know how to check which step get problem, then debug the root cause?
Jianping_Wang
21 Posts
0
March 31st, 2017 02:00
Hi Isaka,
I tried change the SNMP community string to wrong one, "processing-*-*.log" still show the trap message at INFO log level, so I believe this only mean trap is received, but not really converted to event.
Here are some logs:
isakats
141 Posts
1
April 5th, 2017 10:00
Hi Jianping.Wang,
Without seeing the full logs it is hard to say what's going on. It does look like the event processing manager is receiving traps and the issue could be that it is not being converted correctly by the rules.
At this point it would probably be a good idea to open a case with support.
regards,
Isaka
Jianping_Wang
21 Posts
0
April 6th, 2017 18:00
Hi Isaka,
Thanks for help so long,