12-01-2013 11:19 PM
NNM on 9.11.005 in HP Unix
Currently we receive single trap from one of our device and based on
Custom Incident Attribute OID we determine following,
1. Event Type ( Around 11 Event Types like Firewall, Syslog etc)
2. Severity ( Critical, Major, Minor, Warning, Normal )
We need to enrich following based on the original NNM incident based on CIA OID
1. Enriching Message Text to prefix Event Type
2. Enriching Severity
Unfortunately we if we add enrichment rules we need to setup
around 55 enrichment rules ( 5 enrichment rule for each event type with 5 severity level )
And this would affect NNM performance.
Is there any other simple solution please.
12-02-2013 01:09 AM
The solution is to enrich the particular incident with the filters.
You first open the SNMP Event, select either the global enrichment or the enrichment based the particular cia that you will found under the CA hood of the node. After selecting the useful enrichments according tou, go for the filters , and select the ciaName and ciaValue, and then apply the enrichment method. You in this way, you dont go for all the 55 events or watever, once the incident enters into the pipeline, the first thing it would do is suppression or enrichments and then it persist in DB with the non-dampened cycle.
So, in this way you can achieve this.
Please appreciate by giving Kudos.
12-02-2013 09:44 PM
Can you please provide me the txt file including what you want to configure ?
In the txt file, just elaborate your issue with points.
Appreciate my efforts by hitting Kudos.
12-03-2013 06:03 AM
What i have understand through this file is :
1. .22.214.171.124.4.1.135126.96.36.199 is coming as a trap with values of .188.8.131.52.4.1.135184.108.40.206.1.11.0 and .220.127.116.11.4.1.13518.104.22.168.1.1.0.
2. Now you want to enrich so as to see the Event Type in the Message Text and Severity set accordingly.
So, the solution for above is that open the SNMP Trap which is of .22.214.171.124.4.1.135126.96.36.199. Go to Enrichment Tab, create new type, set the category " fault ", family " Node ", and Severity " as per your requirement ". After that set any priority accordingly and Correaltion nature as " None ".
After completeing all these things, in the Message Text, type $.188.8.131.52.4.1.135184.108.40.206 or you can also use $.220.127.116.11.4.1.13518.104.22.168.1.11.0. After that go to payload Filters, create new, enter accordingly
ciaName = .22.214.171.124.4.1.135126.96.36.199.1.11.0 AND ciaValue = < Value you want to see > AND ciaName = .188.8.131.52.4.1.135184.108.40.206.1.1.0. AND ciaValue = < Value you want to use >
In the above filters, this OID becomes visible in the console as events when there is a match. Suppose, you have configured, one for critical, one for warning. And suppose when the Event type called IPS comes as Critical, then this creates an event. Same for all others like what you have configured in the payload filters.
It is good to have a word with the network team that which Event is important and critical. After that you create the payload filters accordingly and set the Severity Critical for this Event Enrichment.
Please Appreciate by hitting Kudos.
12-03-2013 11:03 PM
This is what I had done and it had resulted in 55 enrichment rules.
Say for example for Event Type AV we have 5 different severity level ( Critical, Major, Minor, Warning, Normal )
According to your explanation I need to create 5 enrichment rules for Event Type AV with 5 different severity
Our Total number of event types is 11 and if each Event Type has 5 different severity and end-result would be 55 enrichment rules.
12-03-2013 11:55 PM
no need to do that much :)
from your text attachment:
EID contains .220.127.116.11.4.1.13518.104.22.168.1.11.0 : Event Type
So, if you just need to show the Event Type within the message without further differentiation you just have to show this EID as written by Vik.: in the Message Text, type [..] $.22.214.171.124.4.1.135126.96.36.199.1.11.0
In this case you just have to enrich the severities (creating 5 enrichments at all).
12-04-2013 08:49 PM
Thanks for the inputs.
Unfortunately the Event Type Custom Incident Attribute is not a string, but a numerical value and based on the numerical value we need to compute the Event Type string.
How can we manage these kind of scenarios.
12-04-2013 10:00 PM
For that, you have to specify ciaName = < OID > and ciaValue = < value ,may be 1, 2 , 3 or any >
And this is how you can specify the filters. I was telling the same thing that you don't have to go for 55 enrichments, just do for 5 enrichments.
Appreciate my efforts by hitting Kudos.