Re: Pattern Matching in OM (193 Views)
Reply
Honored Contributor
ramesh9
Posts: 1,036
Registered: ‎04-19-2011
Message 1 of 6 (271 Views)

Pattern Matching in OM

OMU 9.x with OVO agent 11.x on HP Unix servers

 

I receive SNMP trap from NNM server and I need to pattern match for setting severity of the message.

 

The severity which I am interested is Critical, Major and Minor and Normal.

 

The message which I am trying to pattern match is,

 

1.3.6.1.4.1.11.2.17.19.2.2.20 (OctetString): .1.3.6.1.4.1.18568.2.1.1.2.2.1.13=22,.1.3.6.1.4.1.18568.2.1.1.2.8.1.1=23,.1.3.6.1.4.1.18568.2.1.1.3.1.3.1.2.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.2.4294967295.132192.4.2=1,.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.3=2,.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.4=3,.1.3.6.1.4.1.11.2.17.2.2.0=94.56.246.102,cia.snmpoid=.1.3.6.1.4.1.18568.2.1.1.5.0.6,cia.address=94.56.246.102,cia.originaladdress=127.0.0.1,cia.tenant.name=SAN,cia.tenant.uuid=d5e94736-2269-4117-8d32-e4270103da87,cia.securityGroup.name=SAN,cia.securityGroup.uuid=6ed47082-925d-4e83-adf4-c4f94d3b3775

 

The pattern which I had developed is for capturing Critical and Major message is,

 

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=<[1|2]>,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$

 

and for Minor message is,

 

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=<[3]>,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$

 

and for Normal message is,

 

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=<[5]>,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$

 

The severity is indicated by 3rd variable in the message.

 

When I apply pattern match for each severity in seperate conditions in SNMP policy in following order,

 

Normal

Critical | Major

Minor

 

I am seeing Normal, Critical, Major works.

 

When Minor severity message arrives I am getting Critical or Major severity alert and I am seeing the condition for Critical | Major is executed.

 

I tried to change the order in snmp trap policy but end-result is same.

 

Is the pattern matching I am trying to do is fine or are there better alternatives.

 

Please help.

Please use plain text.
Honored Contributor
m_vidyasagar
Posts: 548
Registered: ‎04-21-2011
Message 2 of 6 (246 Views)

Re: Pattern Matching in OM

Try the below for Minor message :

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=3,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$
- Vidyasagar Machani -

Tell me and I forget. Teach me and I remember. Involve me and I learn. -- Benjamin Franklin
Please use plain text.
Honored Contributor
ramesh9
Posts: 1,036
Registered: ‎04-19-2011
Message 3 of 6 (226 Views)

Re: Pattern Matching in OM

Hello Vidyasagar

 

I had allready tried this and it did not work.

 

In my SNMP policy the order in which condition for each severity is,

 

Critical

Normal

Minor

 

When I set the pattern matching you had specified in Minor condition, it is not been captured by Minor condition.

Instead the message is captured by Critical condition and raises a Critical alarm.

Please use plain text.
Honored Contributor
m_vidyasagar
Posts: 548
Registered: ‎04-21-2011
Message 4 of 6 (208 Views)

Re: Pattern Matching in OM

Hi Ramesh,

I see strange behaviour with the pattern matching.

I tried testing the same using the log file policy and I say that only the first rule is matching.

Check out the below snapshot ( Same has been attached as well ).

As per your Trap , var2 should always match .1.3.6.1.4.1.18568.2.1.1.3.1.3.1.2.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.2.4294967295.132192.4.2

If var2 matches correctly then the proper alert is triggered if not it triggers the improper alert ( say, instead of Minor it triggers Critical\Major ) in those cases var2 variable is showing as .1.3.6.1.4.1.18568.2.1.1.3.1.3.1.2.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.2.4294967295.132192.4.2=3

Just looking, if there are any other ways to get through this.
- Vidyasagar Machani -

Tell me and I forget. Teach me and I remember. Involve me and I learn. -- Benjamin Franklin
Please use plain text.
Honored Contributor
m_vidyasagar
Posts: 548
Registered: ‎04-21-2011
Message 5 of 6 (200 Views)

Re: Pattern Matching in OM

Hi Ramesh,

Fedup with internet policies. I have sent you the image in private chat. please check.
- Vidyasagar Machani -

Tell me and I forget. Teach me and I remember. Involve me and I learn. -- Benjamin Franklin
Please use plain text.
Honored Contributor
ramesh9
Posts: 1,036
Registered: ‎04-19-2011
Message 6 of 6 (193 Views)

Re: Pattern Matching in OM

Hello Vidyasagar

 

Thanks for your help, allthough did not get your image in private message, might have been blocked.

 

I checked again and I am seeing if following varbind,

 

.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.3

 

has value 2

 

then the sub-pattern,

 

<*.var2>=[1|2]

 

is getting matched.

 

If .1.3.6.1.4.1.18568.2.1.1.3.1.18.1.3 has value other than 2, then the sub-pattern 

 

<*.var2>=[1|2]

 

is not getting matched.

 

Now looking for further options to enhance.

 

If you have any inputs please share.

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation