Syslog alert supression

Question

We have a centralized event manager that takes alerts from any monitoring system normalizes them and creates tickets or on-call notifications. This data is also stored in a database so we can run reports on outage history.  To do this we trigger a script for each message that comes in matching the proper criteria.  I have run into an issue with fan failed alerts being sent every minute from the device with the failed fan.  The thing is the network support team cannot always resolve the failed fan issue until the scheduled maintenance window.  With regular NPM advanced alerts I would just add an alert suppression for that device until the scheduled maintenance window has passed.  That way I would not get a large quantity of messages in our database and worse would not have created a ticket every minute until it was resolved (I am guessing they Network team would not like me much if I kept doing that).  I do not see any way to accomplish the same thing with the NPM syslog receiver.

Now that I wrote a much too long post, am I missing something?  Is there another way to accomplish the same goal?

skirven · Answer

Bumping this as I'm also having almost the identical issue.

My Syslog Alert criteria takes all messages matching "Fan" and forwarding to our Monitoring System so a ticket can be generated. (for the OP, our Remedy workflow actually suppresses multiple tickets, but I still don't want to have 60 tickets an hour created for the same thing).

What I want to be able to do is have a SNMP Trap forwarded on the first occurrence of the combination of Hostname/IP AND Message, and then you could say, trigger after 10 occurrences, and then not for an hour. The problem I'm having is that the system is assuming that "Fan" is the only criteria, so once it's matched, it stops, but for ALL occurrences, and not based on host/message.

Any help would be appreciated. I'm currently using NPM 10.1.1.

Thanks,
Stephen

ETA - It was mentioned to use the Custom Poller option. This isn't as easy as it sounds, because we have multiple Cisco device types, and each one seems to use a different MIB for incrementation, and some have multiple fans would would need to be instrumented, so Syslog would be the cleanest way to do this.

byrona · Answer

Hrm, it seems to me that you want to alert against this as a stateful problem but the nature of Syslog is not something that really supports this because it isn't stateful.  I am surprised you don't run into this a lot more using Syslog.

Instead of using Syslog, would it be possible to use SNMP to monitor the status of the fans using UnDP and have an advanced alert trip if they fail.  Advanced alerts are stateful and would be much better suited for this use case.

shanepj · Answer

My issue is a little bit different.  When a syslog message comes in for a failed fan (Let's say "Switch-A fan 2") it runs a script that automatically creates a remedy incident and assigns it to the network team.  The network team will take that ticket and put in a change request to fix the fan.  That part is all the easy part.  The issue we are having is I continue to receive the failed fan message every minute until it is fixed.  So if a fan fails on Thursday at 7:00 AM and they cannot fix it until Sunday at 7:00 AM I will receive 4320 syslog messages.  Without a workaround the system currently will generate 4320 incidents which would make network very unhappy with me.  Our current workaround is to run data checks in our script that looks for a matching event in our event log and if it exists to not create the incident.  There are a lot of variables here that make it so additional incidents could be created. This cropped up because I still had about 16 tickets created.  That is far better than 4320,but network is still not thrilled with that many incidents.

The best option would be to have the ability to suppress fan alerts for that one device.  Even better specific fan alerts from that device so we do not miss a failed fan in the same device. for example "switch-A Fan 2"  but if I could at least suppress the fan alerts for "Switch-A" that would be a great thing.