SNMP SET Traps without CLEAR Traps and Orion.Traps "acknowledged" field

Hello Folks :

I have a system sending SNMP Traps as the method to alert us about things like "Failed Logon attempts". That system seems to only send this Traps when something fishy occurs, while no CLEAR Trap can be expected latter on (so the condition can't be automatically ACKed).

Therefore, I need to create an ALERT based on the occurrence of this specific trap.

After solving the requirement using the same techniques exposed here https://thwack.solarwinds.com/message/366359#366359 , that is, Tagging the incoming SNMP Trap in TRAP Viewer when the failed Logon occurs, and then creating an ALERT (in the ALERT Manager) with an Advanced SWQL query such as the ones exposed in the previous link, in my case :

SELECT Nodes.Uri, Nodes.DisplayName FROM Orion.Nodes AS Nodes (this is included automatically by the ALERTS Wizard)

WHERE NodeID in

(SELECT a.NodeID from Orion.Traps a

WHERE Tag='failedlogon')

Now I found my ALERT properly detected under ALERTS !!! (lets say I run the ALARM Query every 5 minutes)

However, my problem is :

1- The system that send the SET Trap won't sent a matching CLEAR Trap in any form : I can't automate the clearing of the TRAP

2- If the SWQL Query is checked every 5 minutes, the ALARM Manager will possibly re-detect the same TRAP, right ? As long as the original TRAP is in the Table, running the check will re-detect it, correct ?

3- I need the operators to see the ALERT I created and take note, possible ACK the ALERT : a new ALERT in the ALERT Manager should be related to a new case

4- I could be receiving X number of TRAPS like this in 5 minutes, it is not a problem to have one ALERT for all of them, but it is a problem if I keep re-creating the ALERT if the condition mentioned in 2 is present

Questions :

- How can I prevent the ALERT Manager to re-detect an already detected SNMP Trap ? Is this the reason why I have seen in the attached link people using the "acknowledge" flag from the Orion.Traps table in queries like ? :

FROM traps a with (nolock)

where colorcode=8388863 and acknowledged=0

- When (and why) is the Traps.acknowledged flag set ? Doing ACK to a ALARM touches this flag somehow ?

- How can I make sure the ALERT created (using the SWQL Query mentioned) once it detects a matching condition (i.e. : the query says that we have NEW Traps of this nature) is really new and not the same TRAPS received in the previous 5 minutes (when the SWQL Query associated with the ALERT Definition run the last time) ?

Help is appreciated

Arturo

Find more posts tagged with

alerts_snmp_traps

Accepted answers

All comments

There are no accepted answers yet