Discussion:
Best way to get Critical alerts on only selected ios interfaces?
Falk
2011-12-23 15:25:48 UTC
Permalink
Falk [http://community.zenoss.org/people/Falk] created the discussion

"Best way to get Critical alerts on only selected ios interfaces?"

To view the discussion, visit: http://community.zenoss.org/message/63400#63400

--------------------------------------------------------------
Hi,

I have installed the Cisco-MIBs and configured traps on a one of my switches to se that it traps correct.
Every works like a charm, but :)

I only want to have critical alerts on our 10G interfaces between datacenter interfaces.

Any good idea to do this "the easiest way"?

--
Regards Falk
Sweden
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/63400#63400]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jmp242
2011-12-23 15:37:17 UTC
Permalink
jmp242 [http://community.zenoss.org/people/jmp242] created the discussion

"Re: Best way to get Critical alerts on only selected ios interfaces?"

To view the discussion, visit: http://community.zenoss.org/message/63424#63424

--------------------------------------------------------------
I'd use Event Transforms myself. Have it match on the interface names and change the severity appropriately. Oh, you'll want to either invert (i.e. lower severity in transform of everything that doesn't match) or change the existing thresholds / mapping to lower severity and use the transform to elevate the matching events.

--
James Pulver
ZCA Member
LEPP Computer Group
Cornell University
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/63424#63424]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Falk
2011-12-27 08:10:55 UTC
Permalink
Falk [http://community.zenoss.org/people/Falk] created the discussion

"Re: Best way to get Critical alerts on only selected ios interfaces?"

To view the discussion, visit: http://community.zenoss.org/message/63436#63436

--------------------------------------------------------------
Hi,

Ouch I was really into #lazyweb the 23'rd..
But with yout answer I could rtfm a few more times, and now I'm on the right track atleast :)

RTFM -> http://community.zenoss.org/community/documentation/wiki/event_transforms?view=documents http://community.zenoss.org/community/documentation/wiki/event_transforms?view=documents

--
Regards Falk
Sweden
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/63436#63436]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Falk
2011-12-27 12:10:01 UTC
Permalink
Falk [http://community.zenoss.org/people/Falk] created the discussion

"Re: Best way to get Critical alerts on only selected ios interfaces?"

To view the discussion, visit: http://community.zenoss.org/message/63437#63437

--------------------------------------------------------------
Hi,

I have now messed around with transforms until lunch (now :) ).
But I dont really understand how to proceed with this.
From my pov it's perhaps easier to conf our switches with
'no snmp trap link-status' on the interfaces.
From what I found it works on both IOS and NXOS.
This is the trap that i get from my interfaces

2011-12-27 12:00:48,296 DEBUG zen.zentrap: Queueing event {'ifType': 6, 'firstTime': 1324983648.2952349, 'eventClassKey': 'snmp_linkDown', 'oid': '1.3.6.1.6.3.1.1.5.0', 'component': '', 'community': 'sure', 'device': '1.1.1.1', 'manager': 'localhost', 'eventGroup': 'trap', 'agent': 'zentrap', 'locIfReason.10106': 'down', 'ifIndex': 10106, 'ifDescr.10106': 'GigabitEthernet0/6', 'ifIndex.10106': 10106, 'monitor': 'localhost', 'locIfReason': 'down', 'severity': 3, 'summary': 'snmp trap snmp_linkDown', 'ifType.10106': 6, 'ifDescr': 'GigabitEthernet0/6', 'lastTime': 1324983648.2952349}


And the event is:

| agent | zentrap |
| clearid |
|
| component |
|
| count | 1 |
| dedupid | switch.name.here||/Net/Link||4|snmp trap snmp_linkDown |
| device | switch.name.here |
| DeviceClass | /Network/Switch |
| DeviceGroups | | |
| DevicePriority | 3 |
| eventClass | /Net/Link |
| eventClassKey | snmp_linkDown |
| eventClassMapping | /Net/Link/snmp_linkDown |
| eventGroup | trap |
| eventKey |
|
| eventState | 0 |
| evid | 2634816c-1ed1-4cbd-8bc7-f021fdbd62e8 |
| facility | unknown |
| firstTime | 2011/12/27 12:00:48.000 |
| ipAddress | 1.1.1.1 |
| lastTime | 2011/12/27 12:00:48.000 |
| Location |
|
| manager | localhost |
| message | snmp trap snmp_linkDown |
| monitor | localhost |
| ntevid | 0 |
| ownerid |
|
| priority | -1 |
| prodState | 1000 |
| severity | 4 |
| stateChange | 2011/12/27 12:00:50.000 |
| summary | snmp trap snmp_linkDown |
| suppid |
|
| Systems | | |
Event Details
| community | sure |
| explanation | has key for ifIndex for all traps. |
| ifDescr | GigabitEthernet0/6 |
| ifDescr.10106 | GigabitEthernet0/6 |
| ifIndex | 10106 |
| ifIndex.10106 | 10106 |
| ifType | 6 |
| ifType.10106 | 6 |
| locIfReason | down |
| locIfReason.10106 | down |
| oid | 1.3.6.1.6.3.1.1.5.0 |

When does it get the "desc" on the cisco int?
Is it not possible to transform on "desc".

My thougts was to escalate the events that were uplinks on po's and vpc's. And they are all named something with 'link' in the descrition field.

--
Regards Falk
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/63437#63437]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2012-01-03 11:29:33 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: Best way to get Critical alerts on only selected ios interfaces?"

To view the discussion, visit: http://community.zenoss.org/message/63488#63488

--------------------------------------------------------------
You should certainly be able to set up an event mapping that tests any of the fields on the incoming event and then does a transform.  Use the Rule part of the event mapping to test that the field has a particular value, or partial value, and then use the transformto change the severity. 

So, if all your interface descriptions start with rLink, your rule would be something like:

evt.ifDescr.startswith('rLink')

and your transform for a Critical severity would simply be:

evt.severity=5

If you want some more examples and lots of explanations, try pulling my event management document from http://community.zenoss.org/docs/DOC-3538 http://community.zenoss.org/docs/DOC-3538 .

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/63488#63488]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...