5 Replies Latest reply on Aug 24, 2019 9:49 PM by rmullal

    Log Manager - Extract SNMP Trap VarBinds into Orion Alert & Alert De-duplication

    ashleyh

      So I receive a trap for something like "interface down"

      TrapOid

      1.3.6.1.6.3.1.1.5.3

      TrapType

      IF-MIB:linkDown

       

       

      it has a load of VarBinds:

      VARBINDS

      sysUpTime (1.3.6.1.2.1.1.3.0)

       

      356 days 6 hours 46 minutes 21.27 seconds

       

      ifIndex.436232192 (1.3.6.1.2.1.2.2.1.1.436232192)

       

      436232192

       

      ifAdminStatus.436232192 (1.3.6.1.2.1.2.2.1.7.436232192)

       

      down(2)

       

      ifOperStatus.436232192 (1.3.6.1.2.1.2.2.1.8.436232192)

       

      down(2)

       

      ifDescr.436232192 (1.3.6.1.2.1.2.2.1.2.436232192)

       

      Ethernet1/7

       

      ifAlias.436232192 (1.3.6.1.2.1.31.1.1.1.18.436232192)

       

      [ThisIsAnImportantPort]

       

      snmpTrapEnterprise (1.3.6.1.6.3.1.1.4.3.0)

       

      IF-MIB:linkDown

       

       

      From this, I add a tag to the alert and fire an Orion Integrated Alert. Fabulous. I have two issues I cannot figure out.

       

      1) In the Orion alert, I cannot pick out specific bits to place in my customer alert. I can insert the trap message which just dumps the alert as "Interface Down was triggered. IF-MIB:linkDown : sysUpTime = 356 days 6 hours 46 minutes 21.27 seconds, ifIndex.436232192 = 436232192, ifAdminStatus.436232192 = down(2), ifOperStatus.436232192 = down(2), ifDescr.436232192 = Ethernet1/7, ifAlias.436232192 = [ThisIsAnImportantPort], snmpTrapEnterprise = IF-MIB:linkDown"

      What I would like to do is have the orion alert say something like "Trap received for Interface Ethernet1/7 on Node Switch1 for Interface Down. Port has description of 'ThisIsAnImportantPort'"

      Whilst I can get Orion Alert manager to display the nodeID, I cannot for the life of me insert a variable to say "use varbind/trapOID 1.3.6.1.2.1.2.2.1.2.436232192" in the alert message.

       

      2) If, by Chance, I am managing the same Node and Interface in Orion via SNMP Polling, I will, on the next polling cycle, get an alert if the interface is down (and has stayed down). We need both, as if the port "drops" for a few mins between polling cycles, we would want to know about it. How do I use both sources for monitoring without ending up with Duplicate Orion Alerts?

       

      Thanks.

      Ashley

       

        • Re: Log Manager - Extract SNMP Trap VarBinds into Orion Alert
          mesverrum

          Ideally I would probably design my "Node down" type alert with an or in the trigger condition, so something like
          interface status is down OR event such and such happens

          so that the down alert triggers on whichever thing it sees first, status change or a trap, and it won't re-trigger because its already active.

           

          I haven't done any interface alerting yet with LM, for all the events i was working with it was automatically attaching all the trap events to the Node and didn't see anything that made me think we could associate events to the specific interfaces.  If it is node level then it's going to be a real pain, probably end up requiring custom sql/swql to make an alert logic that covered both scenarios.  Hopefully a PM can weigh in on interface alerting from LM events.

          • Re: Log Manager - Extract SNMP Trap VarBinds into Orion Alert & Alert De-duplication
            fmcd

            Can you post the actual alert rule you setup to filter the trap = interface down on the specific port...

            Im having the same problem filtering my traps to only alert on a specific interface... im trying to filter interface down on port 1/29

             

              • Re: Log Manager - Extract SNMP Trap VarBinds into Orion Alert & Alert De-duplication
                ashleyh

                HI. So It can't be done to link it to a "polled" orion interface. But you can still have it tag/alert from the Log Analyser rule. I see a couple of methods and an issue above from my experiance.

                You are trapping on trap OID 1.3.6.1.6.3.1.1.5.3 AND 1.3.6.1.2.1.2.2.1.2.29. It cannot be both OIDs at the same time. if you view the trap in Log Analyser, there is only one trap OID (Like a parent one) and then variables within it "VarBinds" and that has OIDs for each variable - this are not "TrapOid" but "Varbind OID".

                 

                If you want to achieve parent OID A or B, you need to move the 2.29 OID into the "+ OR" under the top one. That gets the OIDs working.

                To then filter the specific interface, you want to do the "and" operation like you currently have. you then get two choices.

                1) Used "Message" and "Contains", for example "message contains Ethernet1/1" as a filter. The message is the whole trap and all OIDs "Dumped together" which is what you see as the whole trap message line.

                2) Use a "Varbind Message" or "Varbind OID" is equal to "Ethernet1/1" or whatever the variable is.

                 

                If you need help, post up a screenshot of the actual trap and its pretty easy.

              • Re: Log Manager - Extract SNMP Trap VarBinds into Orion Alert & Alert De-duplication
                rmullal

                I'm having the same issue. I would like to take out bits of my trap messages to make the alert more meaningful. the trap i want to alert on contains a lot of not-so-helpful information, there's only 3-5 lines/values i would like to extract out of the message. I remember in trap viewer you could user varbinds like ${vbData3} ${vbData5} ${vbData7} in the alert actions.