Log Manager - Extract SNMP Trap VarBinds into Orion Alert & Alert De-duplication

Ideally I would probably design my "Node down" type alert with an or in the trigger condition, so something like
interface status is down OR event such and such happens

so that the down alert triggers on whichever thing it sees first, status change or a trap, and it won't re-trigger because its already active.

I haven't done any interface alerting yet with LM, for all the events i was working with it was automatically attaching all the trap events to the Node and didn't see anything that made me think we could associate events to the specific interfaces.  If it is node level then it's going to be a real pain, probably end up requiring custom sql/swql to make an alert logic that covered both scenarios.  Hopefully a PM can weigh in on interface alerting from LM events.

Gave it a try. The Orion Log Manager created alert had it set to "I want to alert on Nodes"

The out the box interface alert in alert manager is set to "I want to alert on Interfaces" (Which I suspect is correct).

I created a new "Or" Alert, copied the log manager alert condition and added an "OR" statement. Got a validation error..

Can you post the actual alert rule you setup to filter the trap = interface down on the specific port...

Im having the same problem filtering my traps to only alert on a specific interface... im trying to filter interface down on port 1/29

HI. So It can't be done to link it to a "polled" orion interface. But you can still have it tag/alert from the Log Analyser rule. I see a couple of methods and an issue above from my experiance.

You are trapping on trap OID 1.3.6.1.6.3.1.1.5.3 AND 1.3.6.1.2.1.2.2.1.2.29. It cannot be both OIDs at the same time. if you view the trap in Log Analyser, there is only one trap OID (Like a parent one) and then variables within it "VarBinds" and that has OIDs for each variable - this are not "TrapOid" but "Varbind OID".

If you want to achieve parent OID A or B, you need to move the 2.29 OID into the "+ OR" under the top one. That gets the OIDs working.

To then filter the specific interface, you want to do the "and" operation like you currently have. you then get two choices.

1) Used "Message" and "Contains", for example "message contains Ethernet1/1" as a filter. The message is the whole trap and all OIDs "Dumped together" which is what you see as the whole trap message line.

2) Use a "Varbind Message" or "Varbind OID" is equal to "Ethernet1/1" or whatever the variable is.

If you need help, post up a screenshot of the actual trap and its pretty easy.

I'm having the same issue. I would like to take out bits of my trap messages to make the alert more meaningful. the trap i want to alert on contains a lot of not-so-helpful information, there's only 3-5 lines/values i would like to extract out of the message. I remember in trap viewer you could user varbinds like ${vbData3} ${vbData5} ${vbData7} in the alert actions.

Did you find a solution? Please can you give me an example of the trap message itself and I will give you a copy of the way I would do it. Feel free to block out hostnames and other details, as long as the trap OID is there and all varbinds I can tell you..

Hello Ashleyh...thanks for the reply

This is one of the traps im using to trigger a BGP alert when a peer no longer becomes available... can you tell me if this will work ok.

Thanks

Hi,

Were you able to find a solution for point 1)? We have recently upgraded to 2019.4 and I'm struggling with extracting the varbinds variables to put them into alert message. For starters I'm trying to put AP name in email subject. Trap message looks like this:

I have raised a feature request idea here: Please up-vote it as this is the same function you are asking for!

https://thwack.solarwinds.com/t5/LA-Feature-Requests/Extract-of-Log-Trap-Messages-VarBinds-to-Trigger-Orion-Alerts/idi-p/597824#M131

Did you ever figure out how to get specific varbinds into an Orion alert notification?