Discussion:
Syslog event Switchport linktrap is not displayed corectly.
Twan Hermans
2012-02-03 11:44:08 UTC
Permalink
Twan Hermans [http://community.zenoss.org/people/twanhermans] created the discussion

"Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64195#64195

--------------------------------------------------------------
Hi,

We having Zenoss 3.2.1 monitoring some nortel switches. I've added the nortel zenpack, witch works great.
There is only one little disadvantage:
When Zenoss receives a syslog message "hostname :link up trap for port: 4" from the switch it appears in zenoss like:
Loading Image... Loading Image...
So we can't see or now that it is a link up or link down trap. If a simulate a trap, Zenoss only shows this message, and even overwrite it. So there isnt even a diffence between the messages.
Does someone now how to change this view ? Ive tried something with mappings, bud wont give te desired result.

Greetings Twan.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64195#64195]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jmp242
2012-02-03 13:11:11 UTC
Permalink
jmp242 [http://community.zenoss.org/people/jmp242] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64174#64174

--------------------------------------------------------------
Hmm, if you open up the event, what details are there... does it have hidden away that it's a link up? If so, you could probably use an event transform to edit the subject of the event.

--
James Pulver
ZCA Member
LEPP Computer Group
Cornell University
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64174#64174]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Twan Hermans
2012-02-07 10:02:54 UTC
Permalink
Twan Hermans [http://community.zenoss.org/people/twanhermans] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64331#64331

--------------------------------------------------------------
Hi,

No there isnt any info in the event about link up or down. There will also be an snmp trap in the events. The trap is logged at the same time like the syslog event. But the snmp trap also does not show all the info. It only says snmp link trap up or link trap down, but no port info.
Ik would like to see the original syslog message from the switch, but Zenoss does not show the original message.. :( but splits it up or something.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64331#64331]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Shane Scott
2012-02-07 16:53:15 UTC
Permalink
Shane Scott [http://community.zenoss.org/people/hackman238] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64326#64326

--------------------------------------------------------------
Twan:

Can you point your switch to something else and grab the full trap and syslog messages?

--shane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64326#64326]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Twan Hermans
2012-02-08 07:39:27 UTC
Permalink
Twan Hermans [http://community.zenoss.org/people/twanhermans] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64364#64364

--------------------------------------------------------------
Shane,

What do you mean with that ? Its my intention to use Zenoss voor all the monitoring. Including the syslog, and not to use another tool like kiwi.

There must be a way to get the message correctly displayed. But i don't understand the using of mapping/transform in Zenoss. I havent any knowledge of pheaton eather.

Twan.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64364#64364]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jmp242
2012-02-08 13:39:12 UTC
Permalink
jmp242 [http://community.zenoss.org/people/jmp242] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64355#64355

--------------------------------------------------------------
The syslog looks like it might be malformed. The best way to tell would be to capture the enitire syslog message as sent from the device. If it is malformed, you'll need to either get the device fixed (unlikely) or do some coding magic to parse the syslog message before it gets to zenoss for making an event.

--
James Pulver
ZCA Member
LEPP Computer Group
Cornell University
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64355#64355]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Shane Scott
2012-02-08 15:01:28 UTC
Permalink
Shane Scott [http://community.zenoss.org/people/hackman238] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64367#64367

--------------------------------------------------------------
Twan:

What I mean is send the messages to another application to compare message integrity. I'm unconvinced it's a Zenoss problem since we're talking Nortel devices.

--Shane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64367#64367]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Twan Hermans
2012-02-09 14:18:54 UTC
Permalink
Twan Hermans [http://community.zenoss.org/people/twanhermans] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64411#64411

--------------------------------------------------------------
Hi Shane,

Here you can see that the messages are not malformed:
Loading Image... Loading Image...
This is what Zenoss shows:
Loading Image... Loading Image...
Loading Image... Loading Image...
So, where is my port info ??
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64411#64411]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Shane Scott
2012-02-09 14:50:30 UTC
Permalink
Shane Scott [http://community.zenoss.org/people/hackman238] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64412#64412

--------------------------------------------------------------
Twan:

Is the 4 in the component field? If it is, the problem is that syslog does not report the actual port name. If it did Zenoss would altomatically create a link to that port. You can optionally create a transform to read out the component, find the interface with that ifIndex and replace the 4 with the components full name. Nortels are natorious for providing less than helpful messages. :(

--Shane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64412#64412]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Twan Hermans
2012-02-09 15:13:31 UTC
Permalink
Twan Hermans [http://community.zenoss.org/people/twanhermans] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64414#64414

--------------------------------------------------------------
Shane,

No Port is in the componentfield and 4 in the summery.
However, I do not understand how mappings and transforms work into Zenoss. Maybe you can help me a bit ?

Gr. Twan


--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64414#64414]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Shane Scott
2012-02-09 15:28:50 UTC
Permalink
Shane Scott [http://community.zenoss.org/people/hackman238] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64432#64432

--------------------------------------------------------------
Twan:

It looks like the message ultimately doesn't contain enough useful information. Looking at the message from syslog, does the message provide the source device or ip? Looking at the traps, no device seems to be associated with the traps. This means that the device is either not monitored by zenoss or the trap has no data in it relating to the source device. It's not impossible to map this stuff with transforms, but it'll be ugly.

--Shane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64432#64432]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Twan Hermans
2012-02-09 15:37:45 UTC
Permalink
Twan Hermans [http://community.zenoss.org/people/twanhermans] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64416#64416

--------------------------------------------------------------
Shane,

I've removed the ip information from the screenshots :) So it wil be there.  The switch is also monitored in Zenos. Everything looks fine. The only disadvantage is the appearance of the link trap.

Twan
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64416#64416]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Shane Scott
2012-02-09 16:42:22 UTC
Permalink
Shane Scott [http://community.zenoss.org/people/hackman238] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64435#64435

--------------------------------------------------------------
Twan:

For the snmpTrap, is a component listed?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64435#64435]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
nilie
2012-02-09 21:03:39 UTC
Permalink
nilie [http://community.zenoss.org/people/nilie] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64442#64442

--------------------------------------------------------------
Twan,

I know someone asked you about this, but can you post here the original syslog message as the switch is sending ? You can do this by logging those messages in a text file. You did it in Orion but the syslog messages are already being parsed by Orion so we might lose some valuable info here. I would also like to know how is your setup for Zenoss syslog, is it receiving syslog messages directly from the switch or from a forwarder local or remote ?

Anyway, just looking at those messages as shown by Orion syslog and checking with the format of a standard syslog message, a question rises in my mind: when parsing the syslog message paylod, is Zenoss by chance using the colon (:) charcter as field separator ? Obviously, I address this question to all those having a deeper knowledge of Zenoss sinternal working.

So can anyone tell us if Zenoss when parsing the syslog message is using the colon character as a separator ?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64442#64442]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Twan Hermans
2012-02-24 11:17:19 UTC
Permalink
Twan Hermans [http://community.zenoss.org/people/twanhermans] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64765#64765

--------------------------------------------------------------
Nillie,

My suspicion is also that Zenoss uses the (:) as field seperator. When i make a capture of de syslog traffic and  compare the different messages, i notice that (:) is used for a field seperator.

The question is, is it posible to change it somewhere in Zenoss ? Remarkable is that the "summery' field and the 'message' field contain the same data. Het would be nice that those are different, like the summry field containing the original syslog message like the info field you see in a wireshark capture.

Gr Twan
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64765#64765]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Shane Scott
2012-02-29 02:04:19 UTC
Permalink
Shane Scott [http://community.zenoss.org/people/hackman238] created the discussion

"Re: Syslog event Switchport linktrap is not displayed corectly."

To view the discussion, visit: http://community.zenoss.org/message/64833#64833

--------------------------------------------------------------
Tawn:

Can you put zentrap in debug mode, capture the trap and post the log?

Best,
--Shane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/64833#64833]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...