How to Map a Trap to Alarm with Custom Thresholding and use Dynamic Alarm Titles

book

Article ID: 194870

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction


One of the benefits of using Spectrum to manage traps is the ability to quickly generate alarms for one not configured out of the box. In
  this example we will map the 'schannelLatency' trap from the BLUECOAT-SG-AUTHENTICATION-MIB to an event id and have it
  generate alarms when the value of one of its varbinds holding the latency value is over a certain value.


Cause

-

Environment

Release : 10.x

Component : Spectrum Core / SpectroSERVER

Resolution


To start we will need to map the schannelLatency trap to an Event ID.

 

 


Now that the trap is mapped to an EventID *(in my case 0xfff00000, the ID's will vary based on the system and what next number is available), we
  will need to launch the Event Configuration Editor.

In this example, we will apply 2 thresholds to generate Major and Minor alarms based upon the latency value reported by the device. We will
  use an EventCondition Rule and will require separate EventIDs for the Major and Minor Alarms.

 

- Create 2 new EventIDs by clicking the E+ button as shown below



 

Once the 2 new EventIDs have been created we will add an EventCondition Rule to the EventID that was mapped
  to the schannelLatencyTrap trap prior to creating the 2 new events.



In the EventCondition Rule, we will need to create 2 Event Conditions, one for the upper threshold and one for the 
  lower threshold.

Before we create the Event Conditions, the AlertMap entry for the trap will show what varbind is mapped to what variable number. In this
  case the latencyValue is mapped to variable 3. In the Event Condition, we will check Event Attribute 3.



- First Condition, Event Attribute 3 >= 300 (we want an alarm when the latency is 300 or greater) and if this
    triggers generate a different event (The first of the 2 additional events we created, in this case, 0xfff00001)





- Second Condition
  We would like a Minor alarm if the latency value is greater than 200 but less than 300 (as 300 is our Major threshold)

 

 

We now have an EventCondition Rule in place that can generate 0xfff00001 or 0xfff00002

 

 

Configuring the Major alarm on 0xfff00001


- set Event to Major Alarm
- Added Dynamic Alarm Title (supported in Spectrum 10.4.1+) which allows me to add the Trap Variable values in the title to
    create a richer alarm notification
- I configured this Event to clear any Existing Minor alarms (note you will need to configure the Minor event and come back to add the clear)

 

 

Configuring the Minor alarm on 0xfff00002

- set Event to Minor Alarm
- Added Dynamic Alarm Title (supported in Spectrum 10.4.1+) which allows me to add the Trap Variable values in the title to
    create a richer alarm notification

 

 

Save All Events to commit them to the SpectroSERVERs and OneClicks



The $SPECROOT/custom/Events/EventDisp file on the SpectroSERVERs should have been updated and look
  similar to (EventIDs will vary Environment to Environment based upon what IDs are free)

 

 

Spectrum should now process the schannelLatencyTrap and generate Major/Minor alarms when the latency
  value exceeds the thresholds.


Additional Information


* There are other ways to accomplish the same results, this is just one way to do so.
** In some cases a device may send multiple alerts for different instances. In cases like this, an
      Event Discriminator would be needed. If for example, the DomainName variable would be unique this
      variable (variable 1) could be used as the discriminator

Working with Events and Alarms - Creating Dynamic Alarm Titles
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-1/managing-network/event-configuration/working-with-events-and-alarms.html

 

Testing: snmptrap on Linux can be used to generate a trap and trigger the events/alarms

example:

snmptrap -v 2c -c StoneSour  10.10.20.15:162 '' 1.3.6.1.4.1.3417.2.15.5.1 1.3.6.1.4.1.3417.2.15.5.0.1.1 s "Zzyzx Rd" 1.3.6.1.4.1.3417.2.15.5.0.1.2 s "Average Latency Last 5 Minutes" 1.3.6.1.4.1.3417.2.15.5.0.1.3 i 380 1.3.6.1.6.3.18.1.3.0 a 10.10.20.46

    - SpectroSERVER IP 10.10.20.15:162, change to target SS's IP
    - 1.3.6.1.6.3.18.1.3.0 a 10.10.20.46, The IP of the target device in the Landscape to assert the events/alarms onto, change as needed

Attachments