Highlighted
2 Bronze

snmp trap rules in NOTIF

Jump to solution

Hi,

I am testing snmp trap notifications in SMARTS console (NOTIF > InCharge-OI). The problem here is that every trap alert with same Name/Event/Class is combined as a single event with just increasing the count.

For example, here is rule mentioned in Notif_config.ncf file for the SNMP Catchall Trap. Each time a test catchall alert is triggered, it shows only a single event in Incharge-OI (with only notify time column updated). I have attached a screenshot of Notification Properties for a Catchall event. My requirement is to get each notification (each row) as separate alerts/events in the console. Is there a way to configure this? Anything am I missing in the configuration? Thanks.

File: Notif_Config.ncf

<eci

EventName="SNMP Trap Catchall"

InstanceName="$SYS$"

ClearOnAcknowledge="true"

Name="ECI-.*_*_*"

ElementClassName="Host"

ClassName="Host"

EventText="Varbinds: $V*$"

UnknownAgent="CREATE"

EventDisplayName="SNMP Trap Catchall"

EVENTTEXT="Varbinds: $V*$"

Severity="2"

ElementName="$SYS$"

DisplayName=".*_*_*"

SysNameOrAddr="$A$"

EventType="MOMENTARY"

/>

0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
2 Bronze

Re: snmp trap rules in NOTIF

Jump to solution

Hi vtrack,

These events are being deduplicated by design, the problem is the combination of Class/Instance/Event should always be unique e.g. a router named router1 at any point in time can either be up or down, it can't be multiples of either state for that single point in time, hence you can only ever get one event called Router-Router1-Down at a time.

Smarts is very much a tool about what is happening RIGHT NOW, so in order for you to get unique events for each trap, you will need to put some unique identifying information into the trap definition. For example if these traps are coming from different sources, you could use the source information in the InstanceName field, and this would make a unique event per source.

If the events are all coming from the same source, and that source is a management system that is managing a number of end devices, then the trap information should include details about the actual end device/object that is impacted. If this is the case, then you can use ASL or Notif to extract such information from the varbinds of the traps and put that into the fields to make each event unique. Or similarly if the object is the same, but there are multiple sessions or something, and you want a unique event for each session on the same device, then you can use ASL or Notif to concatenate multiple varbinds together to make a unique field (remove spaces from anything that goes into the full notification name).

if you have absolutely no information in the trap but you want a unique event per trap, you could even use a timestamp as the unique information, however you will have subsequent issues if there is a corresponding clear trap that should come in later when the issue is resolved, so if you do this you should set the ClearOnAcknowledge field to TRUE so you have a way of clearing the events.

I hope this helps. Here's the Notif document for reference if you need more information about creating your ECI/NCI.

Benjamin Johns

iQ Consult Pty Ltd

View solution in original post

0 Kudos
Reply
1 Reply
Highlighted
2 Bronze

Re: snmp trap rules in NOTIF

Jump to solution

Hi vtrack,

These events are being deduplicated by design, the problem is the combination of Class/Instance/Event should always be unique e.g. a router named router1 at any point in time can either be up or down, it can't be multiples of either state for that single point in time, hence you can only ever get one event called Router-Router1-Down at a time.

Smarts is very much a tool about what is happening RIGHT NOW, so in order for you to get unique events for each trap, you will need to put some unique identifying information into the trap definition. For example if these traps are coming from different sources, you could use the source information in the InstanceName field, and this would make a unique event per source.

If the events are all coming from the same source, and that source is a management system that is managing a number of end devices, then the trap information should include details about the actual end device/object that is impacted. If this is the case, then you can use ASL or Notif to extract such information from the varbinds of the traps and put that into the fields to make each event unique. Or similarly if the object is the same, but there are multiple sessions or something, and you want a unique event for each session on the same device, then you can use ASL or Notif to concatenate multiple varbinds together to make a unique field (remove spaces from anything that goes into the full notification name).

if you have absolutely no information in the trap but you want a unique event per trap, you could even use a timestamp as the unique information, however you will have subsequent issues if there is a corresponding clear trap that should come in later when the issue is resolved, so if you do this you should set the ClearOnAcknowledge field to TRUE so you have a way of clearing the events.

I hope this helps. Here's the Notif document for reference if you need more information about creating your ECI/NCI.

Benjamin Johns

iQ Consult Pty Ltd

View solution in original post

0 Kudos
Reply