DX NetOps

  • Private Community
 View Only

  • 1.  Create an Event Rule to filter an IP

    Posted Mar 24, 2016 09:03 AM

    Good Day,

     

    Situation: We have a device (1.1.1.2) that scans our network and checks if it can gain information from devices via SNMP's community string "Public" among other various other SNMP strings.  This is causing multiple unwanted alarms in OneClick.

     

    I am going to the Event Configuration and find event code 0x10017; then I go to Event Rules --> Event Condition.

    I have written the following rule:

    If event 0x10017 occurs, if ({O 1} == {O 1.1.1.2}) evaluates to TRUE, then take no action.

     

    I keep on receiving alarms in OneClick.   I have tried different variations of the rule like A 1.1.1.2, and generate a blank event to execute with no success.

     

    Any assistance would be greatly appreciated.

    Stephen



  • 2.  Re: Create an Event Rule to filter an IP

    Posted Mar 25, 2016 02:37 AM

    String-compare O 1 --> A  1.1.1.2 should work

     

    (if not screenshot please)

     

    else,

     

    we shall pass the variables of 00017 to a custom event --> Write a regular expression condition (calling the network address attribute) that would filter the content in default code and the custom event (alarming) would be called if the check fails in default code 00017  (check for 1.1.1.2 IP)

     

    Cheers!

    -Lakshmi.



  • 3.  Re: Create an Event Rule to filter an IP

    Posted Mar 25, 2016 10:14 AM

    O 1 --> A 1.1.12 did not work

    Capture.JPG

    Capture1.JPG

    Capture2.JPG



  • 4.  Re: Create an Event Rule to filter an IP

    Posted Mar 28, 2016 03:05 AM

    How about string compare operator instead?

     

    Cheers

    -Lakshmi.



  • 5.  Re: Create an Event Rule to filter an IP

    Posted Mar 25, 2016 06:07 AM

    Simple event condition will work here.

    Example:

    If event 0xxxxx occurs, if (regexp({a 0x12d7f} {A 1.1.1.2}))  evaluates to TRUE, then generate event 0xyyyyy. else (default) evaluates to TRUE, then generate event 0xzzzzzzz.

     

    Where 0x12d7f is Attribute ID of Network Address.

    If it matches IP Address 1.1.1.2, it will generate event 0xyyyyyyy (Set this event to not generate alarm. If you wish, not store events in historical database). Otherwise, it will generate event 0xzzzzzzz (which will generate the alarm for other devices).

     

    Hope this helps.

     

    Below are the screenshots for an example event.

     

     

     

    Cheers...

    Rajashekar



  • 6.  Re: Create an Event Rule to filter an IP
    Best Answer

    Posted Mar 30, 2016 10:03 AM

    Just a follow up...

     

    I did manage to get a solution from CA and I did some tweaking to come up with the final solution.

    1. Copy the 0x00010017 event to 0xfff00003. (That was the next available Event Code)

    Final1.JPG

    2. In Event Code 0x00010017.  Change the Severity code to None.

    Final2.JPG

    3. Go to Event Rules and create a Event Condition.

    Now we are going to NOT create an event if there is an SNMP Authorization Failure, if the source is 1.1.1.2. Here you can nest the various IP addressees that you want to ignore with the use of the OR function.

    Final3.JPG

    4. Now we are going to add a 2nd line to the Event Condition that will tell us to generate Event 0xfff00003.  There is no need to edit 0xfff00003 and make sure you Copy Event Variables (All).

    Final 4.JPG

    5. Make sure you Save All.

    This is what everything should look like:

    Final 5.JPGFinal 6.JPG

     

    IMO, The solution was not user-intuitive and I think that CA should look at fixing it. Unfortunately I do not see that happening because it would more than likely break all the written current event rules, unless CA adds a event rule converter.

     

    I hope that this helps

    Stephen