Service Operations Insight

Expand all | Collapse all

SNMP Policy - Unknown CI when fill an input to variable

  • 1.  SNMP Policy - Unknown CI when fill an input to variable

    Posted 10-19-2016 03:18 AM

    Hello Everyone,

     

    I would like to integrate alerts / events from CA ADA to SOI using SNMP Trap and SNMP Policy. I have created a snmp_policy.xml but seems the policy is not working as well.

    For details please see below details sample of snmp trap are sent from ADA to SNMP Connector box:

    snmp_varbindvals:

    20516,10.2.230.200,10.2.230.200,Oracle,tbs.co.id - 10.2.230.180/32,SCT,9/27/2016 01:10 WIT,Excessive,100.0 %,5.0 Minutes,http://10.250.193.187/SuperAgent/Investigator/Incidents/IncidentsViewFocus.aspx?Nav=13;0;0&Stack=T|M|N|A|S&I=1020516,Application,Update,10.250.193.187

     

    snmp_oids:

    1.3.6.1.4.1.4498.2.20.1.1,1.3.6.1.4.1.4498.2.20.1.2,1.3.6.1.4.1.4498.2.20.1.3,1.3.6.1.4.1.4498.2.20.1.4,1.3.6.1.4.1.4498.2.20.1.5,1.3.6.1.4.1.4498.2.20.1.6,1.3.6.1.4.1.4498.2.20.1.7,1.3.6.1.4.1.4498.2.20.1.8,1.3.6.1.4.1.4498.2.20.1.9,1.3.6.1.4.1.4498.2.20.1.10,1.3.6.1.4.1.4498.2.20.1.11,1.3.6.1.4.1.4498.2.20.1.12,1.3.6.1.4.1.4498.2.20.1.13,1.3.6.1.4.1.4498.2.20.1.14

     

    snmp_policy.xml

     

    <Catalog version='1.0' globalextends='GLOBAL!' >

    <EventClass name='Alert'>
    <Classify>
    <Field input="snmp_enterprise" output="eventtype" outval="Applications_Events" pattern="^1\.3\.6\.1\.4\.1\.4498\.2\.20$" />
    </Classify>
    </EventClass>

    <!--
    ===CA ADA Processing===
    ==Application Events==
    -->

    <EventClass name='Applications_Events' extends='Alert'>
    <Parse>
    <Field input="snmp_varbindvals" output="temp_incidentid,temp_nodename,temp_ip,temp_objectname,temp_objecttype,temp_code,temp_date,temp_property,temp_result,temp_duration,temp_url,temp_appname,temp_status,temp_ipsource" pattern="^(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?)$" />
    </Parse>

    <Classify>
    <Field input='snmp_varbindvals' pattern='^.*SCT.*$' output='eventtype' outval='Server_Connection_Time_Events' />
    </Classify>

    <Normalize>
    <Field input='temp_property' type='map' output='severity' >
    <mapentry mapin=".*Normal.*" mapout='Normal' />
    <mapentry mapin=".*Degraded.*" mapout='Minor'/>
    <mapentry mapin=".*Excessive.*" mapout='Major'/>
    </Field>
    <Field input='temp_code' type='map' output='temp_code_abrv' >
    <mapentry mapin=".*ERTT.*" mapout='Effective Round Trip Time' />
    <mapentry mapin=".*NCT.*" mapout='Network Connection Time'/>
    <mapentry mapin=".*NRTT.*" mapout='Network Round Trip Time'/>
    <mapentry mapin=".*RS.*" mapout='Refused session'/>
    <mapentry mapin=".*RTNS.*" mapout='Retransmission delay'/>
    <mapentry mapin=".*SCT.*" mapout='Server Connection Time'/>
    <mapentry mapin=".*SRT.*" mapout='Server Response Time'/>
    <mapentry mapin=".*US.*" mapout='Unresponsive session'/>
    </Field>
    </Normalize>

    <Format>
    <Field conditional='severity' output='Severity' format='{0}' input='severity' />

    <Field output='MdrProduct' format='CA:00036' input='' />
    <Field output='MdrProdInstance' format='{0}' input='{fqdn(localhost)}' />

    <Field output='AlertedMdrProduct' format='CA:00036' input='' />
    <Field output='AlertedMdrProdInstance' format='{0}' input='{fqdn(localhost)}' />

    <Field output='OccurrenceTimestamp' format='{0}' input='{xsdateTime(now)}'/>
    <Field output='ReportTimestamp' format='{0}' input='{xsdateTime(now)}' />

    </Format>
    </EventClass>

    <EventClass name="Server_Connection_Time_Events" extends="Applications_Events">
    <Format>
    <Field output='ClassName' format='{0}' input='Alert' />
    <Field output='AlertType' format='{0}' input='Risk' />

    <Field output='Summary' format='Server Connection Time Events: Node: {0} Event:{1} {2} Status:{3} Severity:{4}' input='temp_nodename,temp_objectname,temp_objecttype,temp_result,Severity'/>
    <Field output='Message' format='Server Connection Time Events: Node: {0} Event:{1} {2} Status:{3} Severity:{4}' input='temp_nodename,temp_objectname,temp_objecttype,temp_result,Severity' />

    <Field output="MdrElementID" format="SCT{0}" input="temp_nodename" />
    <!-- <Field output='MdrElementID' format='SCT_test' input='' /> -->
    <!--
    <Field output='AlertedMdrElementID' format='SCT{0}' input='temp_nodename' />
    -->
    <Field output="AlertedMdrElementID" format="SCT{0}" input="temp_nodename" />
    </Format>
    </EventClass>

    <!--
    ITEM CLASS
    ==========
    -->

    <EventClass name='Item'>
    <Classify>
    <Field input="snmp_enterprise" output="eventtype" outval="Application_Items" pattern="^1\.3\.6\.1\.4\.1\.4498\.2\.20$" />
    </Classify>
    </EventClass>

    <!--
    ==================
    CA ADA
    Application Items
    ==================
    -->

    <EventClass name='Application_Items' extends='Item'>

    <Parse>
    <Field input="snmp_varbindvals" output="temp_incidentid,temp_nodename,temp_ip,temp_objectname,temp_objecttype,temp_code,temp_date,temp_property,temp_result,temp_duration,temp_url,temp_appname,temp_status,temp_ipsource" pattern="^(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?)$" />
    </Parse>

    <Classify>
    <Field input='snmp_varbindvals' pattern='^.*SCT.*$' output='eventtype' outval='Server_Connection_Time_Items' />
    </Classify>

    <Format>
    <Field output='Description' format='CI Created via SNMP Connector' input='' />

    <Field output='MdrProduct' format='{0}' input='CA:00036' />
    <Field output='MdrProdInstance' format='{0}' input='{fqdn(localhost)}' />
    </Format>

    <Write>
    <Field type='file' name='outfile' properties='*' />
    <Field type='publishcache' properties='*' />
    </Write>

    </EventClass>

    <EventClass name='Server_Connection_Time_Items' extends='Application_Items'>
    <Format>
    <Field output='ClassName' format='{0}' input='Application' />
    <Field output='Tags' format='{0}' input='temp_nodename' />
    <!--
    <Field output='DeviceSysName' format='{0}' input='temp_nodename' />
    -->
    <Field output="DeviceDnsName" format="{0}" input="temp_nodename" />
    <!--
    <Field output='MdrElementID' format='{0}:{1}' input='temp_nodename,temp_code' />
    -->
    <Field output="MdrElementID" format="SCT{0}" input="temp_nodename" />
    <!-- <Field output='MdrElementID' format='SCTOkik' input='' /> -->
    <Field output="ProductName" format="{0}" input="temp_nodename" />
    <Field output='temp_Label' format='{0}:{1}' input='temp_nodename,temp_objectname' />
    </Format>
    </EventClass>

    <EventClass name='USM-Entity' >
    <Format2>
    <Field output='Label' format='{0}' input='temp_Label' />
    </Format2>
    </EventClass>

    </Catalog>

     

    If I hardcode MdrElementID of Items to 'SCTOkik' and Alerted MdrElementID of Events to 'SCTOkik' the CI is can be created in the CA SOI.

     

    but if I filled the MdrElementID of Items, AlertedMdrElementID of Events to variable let say temp_nodename, I couldn't create a CI and the alert is become to Unknown without Class.

     

    Does anyone help me to fix this issue?

    MichaelBoehm Brahma Britta_Hoffner

     

    Best Regards,

    Okik Setianto



  • 2.  Re: SNMP Policy - Unknown CI when fill an input to variable

    Posted 10-19-2016 05:02 AM

    Hi Okik,

     

    I had a look at your policy and I see several issues with it:

    • Only the Classes Server_Connection_Time_Events and Server_Connection_Time_Items have MDrElementID/AlertedMdrElemetID defined (the same for ClassName, AlertType, Summary, Message).  The classes Applications_Events and Application_Items do not have these mandatory values defined, e.g. all messages besides SCT will always fail.
    • MdrElementID of an Alert and AlertedMdrElementId should never be the same, because Items and Alerts are all CIs in the DB and only one triple MdrProduct, MdrProdInstance and MdrElementID can exist.  I normally use "Alert-...." for the MdrElementID of an Alert.
      • Looking at the code you have commented out, I assume you used SCT_test as value for the MdrElementID/AlertedMdrElementID and SCTOkik as MdrElementID of the Alert - in this case the values of the CI and the Alert are different and it works (see point above).
      • In the case of using temp_nodename for all, they overlap and cause problems.

     

    Please adopt your policy accordingly and try again.

    If you still face problems, you can contact me directly.

     

    MichaelBoehm