    Log Manager - Extract SNMP Trap VarBinds into Orion Alert & Alert De-duplication


      So I receive a trap for something like "interface down"






      it has a load of VarBinds:


      sysUpTime (


      356 days 6 hours 46 minutes 21.27 seconds


      ifIndex.436232192 (




      ifAdminStatus.436232192 (




      ifOperStatus.436232192 (




      ifDescr.436232192 (




      ifAlias.436232192 (




      snmpTrapEnterprise (





      From this, I add a tag to the alert and fire an Orion Integrated Alert. Fabulous. I have two issues I cannot figure out.


      1) In the Orion alert, I cannot pick out specific bits to place in my customer alert. I can insert the trap message which just dumps the alert as "Interface Down was triggered. IF-MIB:linkDown : sysUpTime = 356 days 6 hours 46 minutes 21.27 seconds, ifIndex.436232192 = 436232192, ifAdminStatus.436232192 = down(2), ifOperStatus.436232192 = down(2), ifDescr.436232192 = Ethernet1/7, ifAlias.436232192 = [ThisIsAnImportantPort], snmpTrapEnterprise = IF-MIB:linkDown"

      What I would like to do is have the orion alert say something like "Trap received for Interface Ethernet1/7 on Node Switch1 for Interface Down. Port has description of 'ThisIsAnImportantPort'"

      Whilst I can get Orion Alert manager to display the nodeID, I cannot for the life of me insert a variable to say "use varbind/trapOID" in the alert message.


      2) If, by Chance, I am managing the same Node and Interface in Orion via SNMP Polling, I will, on the next polling cycle, get an alert if the interface is down (and has stayed down). We need both, as if the port "drops" for a few mins between polling cycles, we would want to know about it. How do I use both sources for monitoring without ending up with Duplicate Orion Alerts?





          Ideally I would probably design my "Node down" type alert with an or in the trigger condition, so something like
          interface status is down OR event such and such happens

          so that the down alert triggers on whichever thing it sees first, status change or a trap, and it won't re-trigger because its already active.


          I haven't done any interface alerting yet with LM, for all the events i was working with it was automatically attaching all the trap events to the Node and didn't see anything that made me think we could associate events to the specific interfaces.  If it is node level then it's going to be a real pain, probably end up requiring custom sql/swql to make an alert logic that covered both scenarios.  Hopefully a PM can weigh in on interface alerting from LM events.

            Can you post the actual alert rule you setup to filter the trap = interface down on the specific port...

            Im having the same problem filtering my traps to only alert on a specific interface... im trying to filter interface down on port 1/29