Question on SRM trap alert

In alert definition module, I did following steps:

1. Defined a "Filtered entry" node with "*", and link it to "SNMP Trap" node. 

2. Configure "SNMP Trap" node as:

Host localhost

Port     2041

Community     public

Generic ID:     6

Enterprise specific ID:     1

Trap content:    

     An PROP.'eventstate' alert has been received with the following attributes:

     Message: PROP.'fullmsg'

     Device: PROP.'device'

     Device Type: PROP.'devtype'

     Severity: PROP.'severity'

     Source: PROP.'Source'

     Source IP: PROP.'sourceip'

     Part Type: PROP.'parttype'

     Part: PROP.'part'

     Category: PROP.'category'

3. Enable this definition.

After sent test trap to SRM, I can see the alert message with following detials:

     Severity: UNKNOWN

     Device type: consult the site administrator

     Device name: long text that totally same as Trap content I defined in "SNMP Trap" node.

     Caregory:     empty

     Object type:     empty

     Object:      empty

     Event id:     640XXXXXXXXXXXXXXXX

     Event:     empty

     Source:     null-GenericEvent

     Source ip address: 127.0.0.1

     Source domain name:     empty

     Source event type:     empty

     Full message: empty

As my understanding, the trap attributes should be transferred into event attributes, may I know how?

Hi Isaka,

     I'm very close to success now, after configure I can see my trap listed in "processing-0-18.log", but while use filter "*" to print out it to log file, I still see: "PROP.'device',PROP.'devtype',PROP.'part',PROP.'parttype',DURABLE,PROP.'severity',PROP.'severity',PROP.'value'"

     May I know why it is not converted?

     Another question, may I know the rule to filter out trap event from report, which attribute and keyword should be used?

Hi Jianping.Wang,

The PROP. cant be translated as traps do not contain these properties; these properties are are only available for time series (metrics that we can poll at a regular interval and graph). Events such as traps have their own set of properties; you can look at the "Alert consolidation notification trap" alert (right click from the "Alerts definition" list and choose edit) for a listing of properties.

For reporting on events we different properties such as severity, source and variable; variable is a database name so that we automatically exclude all time series data and only display events. You can look at the reports under the All>>Operations>>Alerts branch for examples.

regards,

Isaka

Hi Isaka,

     I copied the "Trap Content" definition from "Alert Consolidation Trap Notification", this also not work.

     I can see trap info in "processing-*-*.log", but both "eventSource is ImpactAnalysis-GenericEvent" and "eventSource is not ImpactAnalysis-GenericEvent" cannot filter it out. As my understanding, when trap arrive, it will be converted according to the XML under "Event-Processing\Trap-Receiver\Default\conf\rules", then goto "alert definitions" to trigger action.

     May I know how to check which step get problem, then debug the root cause?

Hi Isaka,

     I tried change the SNMP community string to wrong one, "processing-*-*.log" still show the trap message at INFO log level, so I believe this only mean trap is received, but not really converted to event.

     Here are some logs:

INER	-- [2017-03-31 16:25:11 PDT] -- MetroConfigLoader] ::locateResource(): ENTRY jaxws-tubes.xml
FINE	-- [2017-03-31 16:25:11 PDT] -- MetroConfigLoader] ::getResource(): MASM0014: Unable to load [ javax.servlet.ServletContext ] class
FINER	-- [2017-03-31 16:25:11 PDT] -- MetroConfigLoader] ::locateResource(): RETURN null
CONFIG	-- [2017-03-31 16:25:11 PDT] -- MetroConfigLoader] :: (): MASM0007: No application metro.xml configuration file found.
FINER	-- [2017-03-31 16:25:11 PDT] -- TubelineAssemblyContextImpl] ::createServer(): Added {0} tube instance to the tubeline.
FINER	-- [2017-03-31 16:25:11 PDT] -- TubelineAssemblyContextImpl] ::createServer(): Added {0} tube instance to the tubeline.
INFO	-- [2017-03-31 16:25:11 PDT] -- HttpServer::start(): Starting web service server at /127.0.0.1:60938 (http)...
INFO	-- [2017-03-31 16:25:11 PDT] -- HttpServer::start(): Writing service identification in C:\EMC_SRM\APG\Event-Processing\Event-Processing-Manager\Default\.webservice
INFO	-- [2017-03-31 16:25:11 PDT] -- Bootstrap::start(): Processing manager started !
INFO	-- [2017-03-31 16:25:17 PDT] -- EventSpy$SpyStreamHandler::handleEvent(): From Trap-Receiver[data]:
INFO	-- [2017-03-31 16:25:17 PDT] -- EventSpy$SpyStreamHandler::handleEvent(): From Trap-Receiver[data]:
INFO	-- [2017-03-31 16:25:17 PDT] -- EventSpy$SpyStreamHandler::handleEvent(): com.watch4net.events.common.data.GenericEvent ...(here followed with  trap message)

Hi Jianping.Wang,

Without seeing the full logs it is hard to say what's going on. It does look like the event processing manager is receiving traps and the issue could be that it is not being converted correctly by the rules.

At this point it would probably be a good idea to open a case with support.

regards,

Isaka

Hi Isaka,

     Thanks for help so long,