cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Log Manager - Extract SNMP Trap VarBinds into Orion Alert & Alert De-duplication

So I receive a trap for something like "interface down"

TrapOid

1.3.6.1.6.3.1.1.5.3

TrapType

IF-MIB:linkDown

it has a load of VarBinds:

VARBINDS

sysUpTime (1.3.6.1.2.1.1.3.0)

356 days 6 hours 46 minutes 21.27 seconds

ifIndex.436232192 (1.3.6.1.2.1.2.2.1.1.436232192)

436232192

ifAdminStatus.436232192 (1.3.6.1.2.1.2.2.1.7.436232192)

down(2)

ifOperStatus.436232192 (1.3.6.1.2.1.2.2.1.8.436232192)

down(2)

ifDescr.436232192 (1.3.6.1.2.1.2.2.1.2.436232192)

Ethernet1/7

ifAlias.436232192 (1.3.6.1.2.1.31.1.1.1.18.436232192)

[ThisIsAnImportantPort]

snmpTrapEnterprise (1.3.6.1.6.3.1.1.4.3.0)

IF-MIB:linkDown

From this, I add a tag to the alert and fire an Orion Integrated Alert. Fabulous. I have two issues I cannot figure out.

1) In the Orion alert, I cannot pick out specific bits to place in my customer alert. I can insert the trap message which just dumps the alert as "Interface Down was triggered. IF-MIB:linkDown : sysUpTime = 356 days 6 hours 46 minutes 21.27 seconds, ifIndex.436232192 = 436232192, ifAdminStatus.436232192 = down(2), ifOperStatus.436232192 = down(2), ifDescr.436232192 = Ethernet1/7, ifAlias.436232192 = [ThisIsAnImportantPort], snmpTrapEnterprise = IF-MIB:linkDown"

What I would like to do is have the orion alert say something like "Trap received for Interface Ethernet1/7 on Node Switch1 for Interface Down. Port has description of 'ThisIsAnImportantPort'"

Whilst I can get Orion Alert manager to display the nodeID, I cannot for the life of me insert a variable to say "use varbind/trapOID 1.3.6.1.2.1.2.2.1.2.436232192" in the alert message.

2) If, by Chance, I am managing the same Node and Interface in Orion via SNMP Polling, I will, on the next polling cycle, get an alert if the interface is down (and has stayed down). We need both, as if the port "drops" for a few mins between polling cycles, we would want to know about it. How do I use both sources for monitoring without ending up with Duplicate Orion Alerts?

Thanks.

Ashley

8 Replies
Level 12

I'm having the same issue. I would like to take out bits of my trap messages to make the alert more meaningful. the trap i want to alert on contains a lot of not-so-helpful information, there's only 3-5 lines/values i would like to extract out of the message. I remember in trap viewer you could user varbinds like ${vbData3} ${vbData5} ${vbData7} in the alert actions.

0 Kudos
Level 7

Can you post the actual alert rule you setup to filter the trap = interface down on the specific port...

Im having the same problem filtering my traps to only alert on a specific interface... im trying to filter interface down on port 1/29

pastedImage_0.png

0 Kudos
Level 9

Did you find a solution? Please can you give me an example of the trap message itself and I will give you a copy of the way I would do it. Feel free to block out hostnames and other details, as long as the trap OID is there and all varbinds I can tell you..

0 Kudos
Level 10

Hi,

Were you able to find a solution for point 1)? We have recently upgraded to 2019.4 and I'm struggling with extracting the varbinds variables to put them into alert message. For starters I'm trying to put AP name in email subject. Trap message looks like this:

pastedImage_0.png

0 Kudos
Level 9

HI. So It can't be done to link it to a "polled" orion interface. But you can still have it tag/alert from the Log Analyser rule. I see a couple of methods and an issue above from my experiance.

You are trapping on trap OID 1.3.6.1.6.3.1.1.5.3 AND 1.3.6.1.2.1.2.2.1.2.29. It cannot be both OIDs at the same time. if you view the trap in Log Analyser, there is only one trap OID (Like a parent one) and then variables within it "VarBinds" and that has OIDs for each variable - this are not "TrapOid" but "Varbind OID".

If you want to achieve parent OID A or B, you need to move the 2.29 OID into the "+ OR" under the top one. That gets the OIDs working.

To then filter the specific interface, you want to do the "and" operation like you currently have. you then get two choices.

1) Used "Message" and "Contains", for example "message contains Ethernet1/1" as a filter. The message is the whole trap and all OIDs "Dumped together" which is what you see as the whole trap message line.

2) Use a "Varbind Message" or "Varbind OID" is equal to "Ethernet1/1" or whatever the variable is.

If you need help, post up a screenshot of the actual trap and its pretty easy.

0 Kudos
Level 7

Hello Ashleyh...thanks for the replyBGP Peering Trap.PNG

This is one of the traps im using to trigger a BGP alert when a peer no longer becomes available... can you tell me if this will work ok.

Thanks

0 Kudos

Ideally I would probably design my "Node down" type alert with an or in the trigger condition, so something like
interface status is down OR event such and such happens

so that the down alert triggers on whichever thing it sees first, status change or a trap, and it won't re-trigger because its already active.

I haven't done any interface alerting yet with LM, for all the events i was working with it was automatically attaching all the trap events to the Node and didn't see anything that made me think we could associate events to the specific interfaces.  If it is node level then it's going to be a real pain, probably end up requiring custom sql/swql to make an alert logic that covered both scenarios.  Hopefully a PM can weigh in on interface alerting from LM events.

- Marc Netterfield, Github
0 Kudos
Level 9

Gave it a try. The Orion Log Manager created alert had it set to "I want to alert on Nodes"

The out the box interface alert in alert manager is set to "I want to alert on Interfaces" (Which I suspect is correct).

I created a new "Or" Alert, copied the log manager alert condition and added an "OR" statement. Got a validation error..

Screen Shot 2018-10-10 at 16.03.51.png

0 Kudos