DX NetOps

Good morning, or afternoon depending on when you read this.

We have a remote server running syslog-ng, and with a script we generate custom traps to send to the SpectroServer. I have created and event in Spectrum that correlates to the trap OID's to generate events however currently we receive too many and I would like to use Event Rules in order to only generate alarms from the most important events.

Here is a snippet of the script used to generate the trap:

my $result = $session->trap(
                        -enterprise     => '1.3.6.1.4.1.107.999',
                        -generictrap    => 6,
                        -agentaddr      => $SourceIP,
                        -specifictrap   => 201,
                        -timestamp      => 100,
                        -varbindlist   => [
                                '1.3.6.1.4.1.107.999.1', 4, $DeviceName,
                                '1.3.6.1.4.1.107.999.2', 4, $mesg,
                       ]
              );

In Spectrum we receive something like this (I have obviously removed the delicate information) : 

Severity : Normal
Date/Time : 08-Mar-2017 15:36:41 CET
Name : fqdn
Network Address : 0.0.0.0
Type : Cat38xxStack
Alarm Title : Host fqdn in vlan 100 is flapping between port Te1/0/10 and port Te2/0/9
Landscape : landscapelocal (0xf00000)

So we receive these traps in Spectrum but as they are all bundled under the same OID, I am trying to filter them with conditions in the Event Rules but have not found the right way to filter words from the message to generate separate alarms.

Could you advise which Event Variable Type would allow me to 'find' the word flapping in the Alarm Title in order to generate a Flapping alarm.

Thanks in advance,

Peter Fields

Hey Peter,

You could do just regex on varbind 2 (if it is coming through to Spectrum as varbind 2).

Should be fairly easy to come up with a regular expression to parse on the word flapping with any other text around it.

So your left operand would be "Event Attribute" and then Operator is "Regular Expression".

Right Operand would be "string" probably unless it comes through as something else but I doubt it based on the above.

Does that help?

-Matt

Hi Matthew,

This definitely looks like what I need, and seems like I was using the wrong Operand. However I still haven't found what I would need to put in the Event Attribute Value field.

Other than the blank value field, does this look right?

I am currently trying with: if (regexp({v 2} {S flapping})) evaluates to TRUE, then generate 0x ffff0002b.

Thanks Matthew.

Update.

I have tried all kinds of variations of the regexp in my last reply but still haven't managed to make it work. I

Is there anyway to troubleshoot the parsing ?

Thanks

Peter, I usually use something like this when working with Regex to be sure I'm using correct Syntax. maybe it can help you too!

Online regex tester and debugger: PHP, PCRE, Python, Golang and JavaScript 

Hi Peter,

Yes, when you play with Event Procedure and Event Rules, you better turn on some of the debugging option in the $SPECROOT/SS/.vnmrc file. You can have those two keys:

event_disp_error_file=<path/name_of_file.log>
procedure_error_file=<path/name_of_file.log>

That will generate something so you are not blind regarding what happens during the processing of your procedures or rules. You can also have a look at the "DebugValue" function inside of the Procedure to get more insights.

If you need to read more about the way to use Event Rules and Event Procedures, I suggest you have a look at all the XML files describing those in the $SPECROOT/SS/CsVendor/CA/EventRules and $SPECROOT/SS/CsVendor/CA/Procedures directories. There's one file per function, and you get operands and examples for all of them.

Then, for your specific issue, the method is correct as far as I can see, but the way it's been coded is probably wrong. What is the event variable you put the second variable in? It's probably "2" as you state, but this depends on the content on the AlertMap file corresponding to that trap. Could you first confirm the second varbind of the trap is going into the event variable 2? If that's the case, then, the workflow should be the following:

• In the AlertMap: your trap generates an event A
• In the EventDisp: event A triggers a CA.EventCondition to check if the event variable 2 matches the regexp you want which matches what you want.
• Or you can use an "If" statement and CreateEventCondition.

In any case, you have to use the proper syntax for regexp which is "full PCRE" expression:

Regexp({ v 2 }, { S \"flapping\" })

Please try that out and keep us posted!

Hi Christophe,

Thanks for the reply, I had to read through it a couple of times before it clicked but I finally got it working after reading the line "It's probably "2" as you state, but this depends on the content on the AlertMap file corresponding to that trap".

I checked the AlertMap file that was created a while ago to find this:

1.3.6.1.4.1.107.999.6.201       0xffff9999      1.3.6.1.4.1.107.999.1(1,0) \
                                                1.3.6.1.4.1.107.999.2(76620,0)

so the event variable being used was 76620, after changing this in the event editor it started working.

I did however also try changing the value to 2 but suddenly the alarm incorrectly displayed in Spectrum without information. Am I right in thinking that the event variables 1 - 100 are default assigned to fields in Spectrum? and if so is there a defined list ?

Thanks again.

Hi,

Glad that it helped you figuring out what the issue was!  About variable assignments: no, actually there is no reserved variable but the 76620. This very specific 76620 is intended to create a "Dynamic title" for alarms. As you know, one given Cause Code should generate a given alarm with a fixed title usually (standard case).

However, if you use the variable 76620 in an event and that event generate an alarm, then the alarm will take the content of the variable 76620 as a title no matter what title is defined in the PCause file associated with that alarm (hope it's clear!).

If you don't want to use a dynamic title, then you can use whatever variable you like.

P.S.: there is a specific rule though if you use the Southbound Gateway for integrations. In that case, there are a couple of reserved variables in "low" numbers, which you can find there Event Data Template Fields - CA Spectrum - 10.2 - CA Technologies Documentation . (but this is just for the record )