This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Log Manager - Extract SNMP Trap VarBinds into Orion Alert & Alert De-duplication

So I receive a trap for something like "interface down"

TrapOid

1.3.6.1.6.3.1.1.5.3

TrapType

IF-MIB:linkDown

it has a load of VarBinds:

VARBINDS

sysUpTime (1.3.6.1.2.1.1.3.0)

356 days 6 hours 46 minutes 21.27 seconds

ifIndex.436232192 (1.3.6.1.2.1.2.2.1.1.436232192)

436232192

ifAdminStatus.436232192 (1.3.6.1.2.1.2.2.1.7.436232192)

down(2)

ifOperStatus.436232192 (1.3.6.1.2.1.2.2.1.8.436232192)

down(2)

ifDescr.436232192 (1.3.6.1.2.1.2.2.1.2.436232192)

Ethernet1/7

ifAlias.436232192 (1.3.6.1.2.1.31.1.1.1.18.436232192)

[ThisIsAnImportantPort]

snmpTrapEnterprise (1.3.6.1.6.3.1.1.4.3.0)

IF-MIB:linkDown

From this, I add a tag to the alert and fire an Orion Integrated Alert. Fabulous. I have two issues I cannot figure out.

1) In the Orion alert, I cannot pick out specific bits to place in my customer alert. I can insert the trap message which just dumps the alert as "Interface Down was triggered. IF-MIB:linkDown : sysUpTime = 356 days 6 hours 46 minutes 21.27 seconds, ifIndex.436232192 = 436232192, ifAdminStatus.436232192 = down(2), ifOperStatus.436232192 = down(2), ifDescr.436232192 = Ethernet1/7, ifAlias.436232192 = [ThisIsAnImportantPort], snmpTrapEnterprise = IF-MIB:linkDown"

What I would like to do is have the orion alert say something like "Trap received for Interface Ethernet1/7 on Node Switch1 for Interface Down. Port has description of 'ThisIsAnImportantPort'"

Whilst I can get Orion Alert manager to display the nodeID, I cannot for the life of me insert a variable to say "use varbind/trapOID 1.3.6.1.2.1.2.2.1.2.436232192" in the alert message.

2) If, by Chance, I am managing the same Node and Interface in Orion via SNMP Polling, I will, on the next polling cycle, get an alert if the interface is down (and has stayed down). We need both, as if the port "drops" for a few mins between polling cycles, we would want to know about it. How do I use both sources for monitoring without ending up with Duplicate Orion Alerts?

Thanks.

Ashley

Parents
  • Ideally I would probably design my "Node down" type alert with an or in the trigger condition, so something like
    interface status is down OR event such and such happens

    so that the down alert triggers on whichever thing it sees first, status change or a trap, and it won't re-trigger because its already active.

    I haven't done any interface alerting yet with LM, for all the events i was working with it was automatically attaching all the trap events to the Node and didn't see anything that made me think we could associate events to the specific interfaces.  If it is node level then it's going to be a real pain, probably end up requiring custom sql/swql to make an alert logic that covered both scenarios.  Hopefully a PM can weigh in on interface alerting from LM events.

  • Gave it a try. The Orion Log Manager created alert had it set to "I want to alert on Nodes"

    The out the box interface alert in alert manager is set to "I want to alert on Interfaces" (Which I suspect is correct).

    I created a new "Or" Alert, copied the log manager alert condition and added an "OR" statement. Got a validation error..

    Screen Shot 2018-10-10 at 16.03.51.png

Reply
  • Gave it a try. The Orion Log Manager created alert had it set to "I want to alert on Nodes"

    The out the box interface alert in alert manager is set to "I want to alert on Interfaces" (Which I suspect is correct).

    I created a new "Or" Alert, copied the log manager alert condition and added an "OR" statement. Got a validation error..

    Screen Shot 2018-10-10 at 16.03.51.png

Children