It's not exact, but this is what I use to take CDP-4-DUPLEX_MISMATCH syslog messages and assert them on the appropriate interface using the ifDescr value that's passed in the message since by default, they'll assert on the device model:
Here is the ParseMap, just so you can see what event variables are involved:
Event066e0020
duplex mismatch discovered on {STRING 1} ({STRING 2}), with {STRINGNOWS 3} {STRINGNOWS 4} ({STRING 5})
Example: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet2/0 (not half duplex), with R13 Ethernet0/1 (half duplex).
And the EventDisp:
0x066e0020 P "ForEach(\
GetModelsByAttrValue(\
{H 0x10069},\
{ C CURRENT_MODEL } ),\
{ Variable if_handle },\
{ Variable notFound },\
{B true},\
If ( And({Variable notFound}, Exists( ReadAttribute({ Variable if_handle }, { H 0x130d1 }))),\
If ( And({Variable notFound}, Equals( ReadAttribute( {Variable if_handle}, {H 0x129e0}), GetEventVariable( {U 1}) )),\
If ( And ({Variable notFound},\
ReadAttribute( {Variable if_handle}, {H 0x12a54})),\
Prog2( Assign({Variable notFound}, {B false}),\
CreateEventWithVariables(\
{Variable if_handle},\
{H 0x066e0021},\
GetEventVariableList())),\
Nil()), Nil()), Nil()))"
0x066e0021 E 0 A 2,0x066e0021,3,4
Now, what does this do?
First, we set up a loop so we can set two variables: did we find a match (notFound) and the model handle of the matching interface (if_handle). We use the GetModelsByAttrValue to find all the models that are components of the device by searching on the Device_Mdl_Handle attribute. From that list of components we check it see if X_ifIndex exists as an attribute on them to find only the interface models. If we have that, then we read the HWComponentDescription and compare with the ifDescr present in event variable 1 (GetEventVariable U1). We do this instead of comparing to ifDescr directly because HWComponentDescription is an attribute that is stored in the database as opposed to something that would force an on demand SNMP read:
Caution: If it's really ifName that you need, I would recommend either creating another attribute that "mirrors" ifName and is stored in memory/database or maybe parse the model name, assuming you have DeviceName_ifName as the interface naming convention or you're going to bog things down by triggering lots of on demand (and expensive) SNMP polls just to get all these values.
Anyway, once we've found the right interface, we check the GeneratePortStatusAlarms attribute. You may not require that for your use case but in my example, we didn't want to generate alarms on interfaces when this value was set to No/false. Once we pass all of that, we generate a new event that results in a major alarm with some event discriminators.
Hope that helps.
Original Message:
Sent: 07-15-2020 03:49 PM
From: Abdelkader Houchi
Subject: trap event parse varbind
Hi,
How to use the ifname , I tried to add it in the event message 0x00010f94 event I got
- Wed 15 Jul, 2020 - 15:44:43 - Alarm number 12278666 with probable cause id 0xfff00195 generated for device vsgmsspdist001 of type VNM. The severity of this alarm is MINOR. (event [0x00010701])
- Wed 15 Jul, 2020 - 15:44:43 - ifName =
(event [0xfff00195])
I added this in custom Eventdisp
0xfff00175 E 50 P "CreateEvent( GetElement( GetModelsByAttrValue({U 65536},{S \"VNM\"} ),{U 1} ) , { H 0xfff00195 } )"
0xfff00195 E 30 A 1,0xfff00195
Original Message:
Sent: 07-15-2020 02:44 PM
From: Joseph Ackley
Subject: trap event parse varbind
I haven't tested anything in the lab but when I saw this, it reminded me of an out of the box Event Procedure used by Spectrum to pass an event to the VNM model by searching the model name for a that has a model type name of "VNM". This is located in the $SPECROOT/SS/CsVendor/Cabletron/EventDip file as follows:
# Search for a model by ModelType_name VNM and generate an event on it.
0x00010f93 E 50 P "\
CreateEvent( \
GetElement( \
GetModelsByAttrValue(\
{U 65536},\
{S \"VNM\"} ),\
{U 1} ) , \
{ H 0x00010f94 } )"
# Generate the alarm on the VNM
0x00010f94 E 30 A 3,0x00010f94
So you should be able to do something similar using the value of ifName from the trap varbind 1:
ifName = {S 1}
Joe
Original Message:
Sent: 07-15-2020 02:05 PM
From: Abdelkader Houchi
Subject: trap event parse varbind
In Spectrum we monitor the Transceiver interface change State from Normal to Lowset based on this trap :
| Name |
cIfXcvrMonStatusChangeNotif!@#.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoInterfaceXcvrMonitorMIB.ciscoInterfaceXcvrMonMIBNotifs.cIfXcvrMonStatusChangeNotif |
| OID |
.1.3.6.1.4.1.9.9.706.0.1 |
| MIB |
CISCO-INTERFACE-XCVR-MONITOR-MIB |
In Spectrum created event for this trap and mapped traps Mib Tools
ifName = {S 1}
ifName.ifIndex = {o 2}
cIfXcvrMonDigitalDiagTempAlarm = {T cIfXcvrMonDigitalDiagTempAlarm 3}
cIfXcvrMonDigitalDiagTempWarning = {T cIfXcvrMonDigitalDiagTempWarning 4}
cIfXcvrMonDigitalDiagVoltAlarm = {T cIfXcvrMonDigitalDiagVoltAlarm 5}
cIfXcvrMonDigitalDiagVoltWarning = {T cIfXcvrMonDigitalDiagVoltWarning 6}
cIfXcvrMonDigitalDiagCurrAlarm = {T cIfXcvrMonDigitalDiagCurrAlarm 7}
cIfXcvrMonDigitalDiagCurrWarning = {T cIfXcvrMonDigitalDiagCurrWarning 8}
cIfXcvrMonDigitalDiagRxPwrAlarm = {T cIfXcvrMonDigitalDiagRxPwrAlarm 9}
cIfXcvrMonDigitalDiagRxPwrWarning = {T cIfXcvrMonDigitalDiagRxPwrWarning 10}
cIfXcvrMonDigitalDiagTxPwrAlarm = {T cIfXcvrMonDigitalDiagTxPwrAlarm 11}
cIfXcvrMonDigitalDiagTxPwrWarning = {T cIfXcvrMonDigitalDiagTxPwrWarning 12}
cIfXcvrMonDigitalDiagTxFaultAlarm = {T cIfXcvrMonDigitalDiagTxFaultAlarm 13}
Transceiver Sensors State Change for interface cause code 0x210d5f
Question : how to parse varbind ifname or ifname.index and query the interface attribute values instead of the device name (the trap is sent with the IP of the device name)
the interface has this attribue which can have two values : Port_Unmanage or Port_manage
Question :
How Can Spectrum query the Interface Name based on Device Name , and verify the value of the attribute CollectionsModelNameString and send an alarm based on the value of this attribute ?