Discussion:
trap event transform; add to multiple components
Patrick vL
2013-11-13 10:42:21 UTC
Permalink
Patrick vL [http://community.zenoss.org/people/PatrickvL] created the discussion

"trap event transform; add to multiple components"

To view the discussion, visit: http://community.zenoss.org/message/75234#75234

--------------------------------------------------------------
We have a switch that is configured to send traps to the Zenoss machine. It is an old switch that sends one trap that contains information about more than one port. Say for example if the link of two ports goes down roughly at the same time than one trap is sent containing information about these two ports.

The trap shows up as an event. I used an event class mapping to transform the O.I.D.s to readable text. Normally I also set the evt.component field to the port information in the trap. How can I do that if multiple ports are given in one trap? I know that evt.component is a 'str' so it can only hold the id of one component, right? Is it possible to split the trap event into multiple events? Any other ideas?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75234#75234]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Thomas Pollet
2013-11-13 14:33:36 UTC
Permalink
Thomas Pollet [http://community.zenoss.org/people/Thomax] created the discussion

"Re: trap event transform; add to multiple components"

To view the discussion, visit: http://community.zenoss.org/message/75220#75220

--------------------------------------------------------------
A trap contains varbindings to describe affected components. The varbindings are available in the event details.
You'll have to do some debugging to find out how to reference them i guess.

Also, if you import the switch mibs, the trap and varbind oids should translate well.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75220#75220]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-11-13 15:24:32 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: trap event transform; add to multiple components"

To view the discussion, visit: http://community.zenoss.org/message/75251#75251

--------------------------------------------------------------
Patrick,,
Think you can do something like the example below.  You would retrieve the orginal event with the 'evt.portinformation' like you stated, and then create 2 new zenoss events by executing zendsendevents for each interface contained within the original trap.  You might need to work on the zensendevents portion of this transform to make the new events look like the original, but with only one interface this time.  You can see the zensendevents syntax by executing zensendevent --help as zenoss user.
This transform only executes if it sees a ',' in the evt.portinformation, but not sure for your actual trap (would have to see it).  It also sets the original event to informational and includes all zensendevent commands in evt.mycommandsummary.
You will need to change evt.portinformation to match the varbind withing the actual trap you are recieving.
Hope this works for you, an interesting problem. 

import os
from subprocess import Popen, PIPE

severityList = {0:'Clear', 1:'Debug', 2:'Info', 3:'Warning', 4:'Error', 5:'Critical'}
if ',' in evt.portinformation:
    mycommandsummary = ""
    for int in evt.portinformation.split(','):
        mycommand = "zensendevent -d %s\
            -i %s\
            -p %s\
            -s %s\
            -o agent=zentrap %s" %\
            (evt.device, evt.ipAddress, int, severityList[evt.severity], evt.summary)
        r=Popen(mycommand, shell=True, stdout=PIPE, stderr=PIPE)
        mycommandsummary += mycommand
    evt.summary = "SPLIT INTO 2 EVENTS, check mycommandsummary for commands, Original Summary: " + evt.summary
    evt.mycommandsummary = mycommandsummary
    evt.severity = 2

--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75251#75251]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Thomas Pollet
2013-11-13 15:54:11 UTC
Permalink
Thomas Pollet [http://community.zenoss.org/people/Thomax] created the discussion

"Re: trap event transform; add to multiple components"

To view the discussion, visit: http://community.zenoss.org/message/75240#75240

--------------------------------------------------------------
Rob,

is evt.portinformation always available?

also, you introduce a funny security bug in your code if the trap information contains a shell command ( `/bin/touch /tmp/self` for example as a port).
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75240#75240]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-11-13 15:58:18 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: trap event transform; add to multiple components"

To view the discussion, visit: http://community.zenoss.org/message/75252#75252

--------------------------------------------------------------
definately not, that is just a reference point to whatever varbind contains the 2 or more interfaces that were referenced in Patricks orginal post.  Since I can't see the actual event, Patrick would have to change that reference in the script to match the actual attribute in the event.  Along with the ',', if the ',' is not used to seperate the different interfaces.
Hope that helps?
--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75252#75252]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Patrick vL
2013-11-14 13:10:57 UTC
Permalink
Patrick vL [http://community.zenoss.org/people/PatrickvL] created the discussion

"Re: trap event transform; add to multiple components"

To view the discussion, visit: http://community.zenoss.org/message/75256#75256

--------------------------------------------------------------
@Rob, thanks for your example.

In your example you use zensendevent to send an event for each of the components. Is it possible to directly create the events instead of using a subprocess call to zensendevent? I think I will have to take a look at zensendevent code to see if it gives me some new ideas.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75256#75256]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-11-14 14:19:51 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: trap event transform; add to multiple components"

To view the discussion, visit: http://community.zenoss.org/message/75257#75257

--------------------------------------------------------------
The problem is that you actually need two or more events created from only one orginal event.  The only other method(s) i know would be a web service call (still using subprocess) or maybe be a path to the database(dmd) from the transform, but not sure.  This seemed to be the simpliest means.
The transform i sent seemed to work in my test environment, with the two new events being created about 1 second after original.

--Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75257#75257]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Patrick vL
2013-11-14 15:34:15 UTC
Permalink
Patrick vL [http://community.zenoss.org/people/PatrickvL] created the discussion

"Re: trap event transform; add to multiple components"

To view the discussion, visit: http://community.zenoss.org/message/75259#75259

--------------------------------------------------------------
Thanks, your example solves my problem.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75259#75259]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...