Re: Enrichment of NNM Incident queries (736 Views)
Reply
Honored Contributor
ramesh9
Posts: 1,162
Registered: ‎04-19-2011
Message 1 of 12 (797 Views)

Enrichment of NNM Incident queries

NNM on 9.11.005 in HP Unix

 

Currently we receive single trap from one of our device and based on

Custom Incident Attribute OID we determine following,

 

1.   Event Type ( Around 11 Event Types like Firewall, Syslog etc)

2.   Severity ( Critical, Major, Minor, Warning, Normal )

 

We need to enrich following based on the original NNM incident based on CIA OID

 

1.   Enriching Message Text to prefix Event Type 

2.   Enriching Severity 

 

Unfortunately we if we add enrichment rules we need to setup
around 55 enrichment rules ( 5 enrichment rule for each event type with 5 severity level )

And this would affect NNM performance.

 

Is there any other simple solution please.

 

 

Valued Contributor
Vikramsingh_03
Posts: 43
Registered: ‎01-23-2013
Message 2 of 12 (785 Views)

Re: Enrichment of NNM Incident queries

Hi Ramesh,

 

  The solution is to enrich the particular incident with the filters.

 

You first open the SNMP Event, select either the global enrichment or the enrichment based the particular cia that you will found under the CA hood of the node. After selecting the useful enrichments according tou, go for the filters , and select the ciaName and ciaValue, and then apply the enrichment method. You in this way, you dont go for all the 55 events or watever, once the incident enters into the pipeline, the first thing it would do is suppression or enrichments and then it persist in DB with the non-dampened cycle.

 

So, in this way you can achieve this.

 

Regards,

Vik

 

Please appreciate by giving Kudos.

Honored Contributor
ramesh9
Posts: 1,162
Registered: ‎04-19-2011
Message 3 of 12 (764 Views)

Re: Enrichment of NNM Incident queries

Hi Vikram

 

Could you please give me a example. 

 

Regards

Ramesh

Valued Contributor
Vikramsingh_03
Posts: 43
Registered: ‎01-23-2013
Message 4 of 12 (759 Views)

Re: Enrichment of NNM Incident queries

Hi Malilu,

 

  Can you please provide me the txt file including what you want to configure ?

 

In the txt file, just elaborate your issue with points.

 

Regards,

Vik

 

Appreciate my efforts by hitting Kudos.

Honored Contributor
ramesh9
Posts: 1,162
Registered: ‎04-19-2011
Message 5 of 12 (744 Views)

Re: Enrichment of NNM Incident queries

Hi

 

Please find text file attached which defines my requirements or configurations to be made.

Valued Contributor
Vikramsingh_03
Posts: 43
Registered: ‎01-23-2013
Message 6 of 12 (737 Views)

Re: Enrichment of NNM Incident queries

Hi Ramesh,

 

   What i have understand through this file is :

 

1. .1.3.6.1.4.1.13567.3.4.1 is coming as a trap with values of .1.3.6.1.4.1.13567.3.4.1.1.11.0 and .1.3.6.1.4.1.13567.3.4.1.1.1.0.

 

2. Now you want to enrich so as to see the Event Type in the Message Text and Severity set accordingly.

 

So, the solution for above is that open the SNMP Trap which is of .1.3.6.1.4.1.13567.3.4.1.  Go to Enrichment Tab, create new type, set the category " fault ", family  " Node ", and Severity  " as per your requirement  ". After that set any priority accordingly and Correaltion nature as " None ".

 

After completeing all these things, in the Message Text, type $.1.3.6.1.4.1.13567.3.4.1 or you can also use $.1.3.6.1.4.1.13567.3.4.1.1.11.0.  After that go to payload Filters, create new, enter accordingly

 

ciaName  =  .1.3.6.1.4.1.13567.3.4.1.1.11.0 AND ciaValue  =  < Value you want to see >  AND ciaName  =  .1.3.6.1.4.1.13567.3.4.1.1.1.0. AND ciaValue  =  < Value you want to use >

 

In the above filters, this OID becomes visible in the console as events when there is a match. Suppose, you have configured, one for critical, one for warning. And suppose when the Event type called IPS comes as Critical, then this creates an event. Same for all others like what you have configured in the payload filters.

 

It is good to have a word with the network team that which Event is important and critical. After that you create the payload filters accordingly and set the Severity Critical for this Event Enrichment.

 

Regards,

Vik

 

Please Appreciate by hitting Kudos.

Valued Contributor
Vikramsingh_03
Posts: 43
Registered: ‎01-23-2013
Message 7 of 12 (736 Views)

Re: Enrichment of NNM Incident queries

And Ramesh,

 

  Please hit kudos if there is something helpful to you.

Honored Contributor
ramesh9
Posts: 1,162
Registered: ‎04-19-2011
Message 8 of 12 (720 Views)

Re: Enrichment of NNM Incident queries

Hello Vik

 

This is what I had done and it had resulted in 55 enrichment rules.

 

Say for example for Event Type AV we have 5 different severity level ( Critical, Major, Minor, Warning, Normal )

 

According to your explanation I need to create 5 enrichment rules for Event Type AV with 5 different severity

 

Our Total number of event types is 11 and if each Event Type has 5 different severity and end-result would be 55 enrichment rules.

Trusted Contributor
AlexanderH
Posts: 172
Registered: ‎06-13-2006
Message 9 of 12 (713 Views)

Re: Enrichment of NNM Incident queries

Hi Ramesh,

 

no need to do that much :)

 

from your text attachment:

EID contains .1.3.6.1.4.1.13567.3.4.1.1.11.0 : Event Type

 

So, if you just need to show the Event Type within the message without further differentiation you just have to show this EID as written by Vik.: in the Message Text, type [..] $.1.3.6.1.4.1.13567.3.4.1.1.11.0

 

In this case you just have to enrich the severities (creating 5 enrichments at all).

 

HTH

Alexander

 

Honored Contributor
ramesh9
Posts: 1,162
Registered: ‎04-19-2011
Message 10 of 12 (700 Views)

Re: Enrichment of NNM Incident queries

Hello Alexander

 

Thanks for the inputs.

 

Unfortunately the Event Type Custom Incident Attribute is not a string, but a numerical value and based on the numerical value we need to compute the Event Type string.

 

How can we manage these kind of scenarios.

 

Regards

Ramesh

Valued Contributor
Vikramsingh_03
Posts: 43
Registered: ‎01-23-2013
Message 11 of 12 (690 Views)

Re: Enrichment of NNM Incident queries

Hi Ramesh,

 

   For that, you have to specify ciaName = < OID > and ciaValue = < value ,may be 1, 2 , 3 or any >

 

And this is how you can specify the filters. I was telling the same thing that you don't have to go for 55 enrichments, just do for 5 enrichments.

 

Regards,

Vik

 

Appreciate my efforts by hitting Kudos.

Trusted Contributor
AlexanderH
Posts: 172
Registered: ‎06-13-2006
Message 12 of 12 (678 Views)

Re: Enrichment of NNM Incident queries

If this event type is indexed (mapped) in the MIB, you may give the function $text($.1.3.6.1.4.1.13567.3.4.1.1.11.0) a try...

 

HTH

Alexander

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.