Why an event message based on trap is displayed as non Trap Event?

book

Article ID: 196006

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

The 0x4b6006e event message is saying that is based on trap, but the Trap Event column is not checked on.

Environment

Release : 10.4

Component : Event

Resolution

The 0x4b6006e is a "child event" based on event condition, originated from 0x4b60053 event code.

The "parent event" is 0x4b60053, which is really based on trap.

That is the reason the 0x4b6006e event code message is the same as the 0x4b60053 event code.

 

How to find the "parent event"

On the SpectroSERVER machine, navigate to the $SPECROOT/SS/CsVendor directory.

Search for 0x4b6006e event code in each EventDisp file under $SPECROOT/SS/CsVendor directory.

$ find . -name EventDisp -exec grep 4b6006e {} \; -print
    "{ v 8 } == { I 0 }", "0x04b6006e -:-", \
0x04b6006e E 50 A 2, 0x04b6006e
0x04b6006f E 30 C 0x04b6006e
./Airespace/EventDisp
grep: ./Cisco_Router/CiscoVDCContainer/EventDisp: Is a directory

Then search in the $SPECROOT/SS/CsVendor/Airespace/EventDisp file for the 0x04b6006e event code.

# bsnSignatureAttackDetected
0x04b60053 R Aprisma.EventCondition, \
    "{ v 8 } == { I 0 }", "0x04b6006e -:-", \
    "{ v 8 } == { I 1 }", "0x04b6006f -:-", \
    "default", "0x04b60070 -:-"
0x04b6006e E 50 A 2, 0x04b6006e
0x04b6006f E 30 C 0x04b6006e
0x04b60070 E 10

The 0x4b60053 is the parent event.

Search for 0x4b60053 event code in each AlertMap file under $SPECROOT/SS/CsVendor directory.

$ find . -name AlertMap -exec grep 4b60053 {} \; -print
1.3.6.1.4.1.14179.2.6.3.6.70               0x04b60053    1.3.6.1.4.1.14179.2.2.1.1.1(1,0)\
./Airespace/AlertMap

The trap OID 1.3.6.1.4.1.14179.2.6.3.6.70 is mapped to generate the 0x4b60053 event code.

 

Attachments