How to Map a Trap to Alarm with Custom Thresholding and use Dynamic Alarm Titles


Article ID: 194870


Updated On:


CA Spectrum


One of the benefits of using Spectrum to manage traps is the ability to quickly generate alarms for one not configured out of the box. In
  this example we will map the 'schannelLatency' trap from the BLUECOAT-SG-AUTHENTICATION-MIB to an event id and have it
  generate alarms when the value of one of its varbinds holding the latency value is over a certain value.




Release : 10.x (NetOps 20.x)

Component : Spectrum Core / SpectroSERVER


To start we will need to map the schannelLatency trap to an Event ID.


Now that the trap is mapped to an EventID *(in my case 0xfff00000, the ID's will vary based on the system and what next number is available), we
  will need to launch the Event Configuration Editor.

In this example, we will apply 2 thresholds to generate Major and Minor alarms based upon the latency value reported by the device. We will
  use an EventCondition Rule and will require separate EventIDs for the Major and Minor Alarms.


- Create 2 new EventIDs by clicking the E+ button as shown below


Once the 2 new EventIDs have been created we will add an EventCondition Rule to the EventID that was mapped
  to the schannelLatencyTrap trap prior to creating the 2 new events.

In the EventCondition Rule, we will need to create 2 Event Conditions, one for the upper threshold and one for the 
  lower threshold.

Before we create the Event Conditions, the AlertMap entry for the trap will show what varbind is mapped to what variable number. In this
  case the latencyValue is mapped to variable 3. In the Event Condition, we will check Event Attribute 3.

- First Condition, Event Attribute 3 >= 300 (we want an alarm when the latency is 300 or greater) and if this
    triggers generate a different event (The first of the 2 additional events we created, in this case, 0xfff00001)

- Second Condition
  We would like a Minor alarm if the latency value is greater than 200 but less than 300 (as 300 is our Major threshold)


We now have an EventCondition Rule in place that can generate 0xfff00001 or 0xfff00002



Configuring the Major alarm on 0xfff00001

- set Event to Major Alarm
- Added Dynamic Alarm Title (supported in Spectrum 10.4.1+) which allows me to add the Trap Variable values in the title to
    create a richer alarm notification
- I configured this Event to clear any Existing Minor alarms (note you will need to configure the Minor event and come back to add the clear)



Configuring the Minor alarm on 0xfff00002

- set Event to Minor Alarm
- Added Dynamic Alarm Title (supported in Spectrum 10.4.1+) which allows me to add the Trap Variable values in the title to
    create a richer alarm notification



Save All Events to commit them to the SpectroSERVERs and OneClicks

The $SPECROOT/custom/Events/EventDisp file on the SpectroSERVERs should have been updated and look
  similar to (EventIDs will vary Environment to Environment based upon what IDs are free)



Spectrum should now process the schannelLatencyTrap and generate Major/Minor alarms when the latency
  value exceeds the thresholds.

Additional Information

* There are other ways to accomplish the same results, this is just one way to do so.
** In some cases a device may send multiple alerts for different instances. In cases like this, an
      Event Discriminator would be needed. If for example, the DomainName variable would be unique this
      variable (variable 1) could be used as the discriminator

Working with Events and Alarms - Creating Dynamic Alarm Titles


Testing: snmptrap on Linux can be used to generate a trap and trigger the events/alarms


snmptrap -v 2c -c StoneSour '' s "Zzyzx Rd" s "Average Latency Last 5 Minutes" i 380 a

    - SpectroSERVER IP, change to target SS's IP
    - a, The IP of the target device in the Landscape to assert the events/alarms onto, change as needed