How to add Cisco Syslog Trap Mappings to Alarms with Event Procedure and Conditional Alarm
Article ID: 386898
Updated On: 01-29-2025
Products
Issue/Introduction
Kindly help to convert the syslog events into alarm as highlighted in the screenshot.
%L2-L2VPN_PW-3-UPDOWN: Pseudowire with address 172.xx.yy.zz, id 1740:3501 EVPN, state is changed to: Down.
%L2-L2VPN_PW-3-UPDOWN: Pseudowire with address 10.xx.yy.zz, id 1740:222 EVPN, state is changed to: Down.
%L2-L2VPN_PW-3-UPDOWN: Pseudowire with address 172.xx.yy.zz, id 1740:3501 EVPN, state is changed to: Up.
%L2-L2VPN_PW-3-UPDOWN: Pseudowire with address 10.xx.yy.zz, id 1740:222 EVPN, state is changed to: Up.
Environment
Spectrum: Any Version
Cause
Resolution
DX NetOps Spectrum has the ability to process Syslog Traps from Cisco devices and map the traps to events that can raise alarms. Out of the Box Spectrum maps the default trap to an event 0x210d40.
$SPECROOT/SS/CsVendor/Cisco_Router/AlertMap
# ciscoSyslogMIBNotification
1.3.6.1.4.1.9.9.41.2.6.1 0x00210d40 1.3.6.1.4.1.9.9.41.1.2.3.1.2(1,0)\
1.3.6.1.4.1.9.9.41.1.2.3.1.3(2,0)\
1.3.6.1.4.1.9.9.41.1.2.3.1.4(3,0)\
1.3.6.1.4.1.9.9.41.1.2.3.1.5(4,0)\
1.3.6.1.4.1.9.9.41.1.2.3.1.6(5,0)
CISCO-SYSLOG-MIB
clogMessageGenerated NOTIFICATION-TYPE
VARIABLES {
clogHistFacility 1.3.6.1.4.1.9.9.41.1.2.3.1.2 DisplayString
clogHistSeverity 1.3.6.1.4.1.9.9.41.1.2.3.1.3 SyslogSeverity
{
emergency(1)
alert(2)
critical(3)
error(4)
warning(5)
notice(6)
info(7)
debug(8)
}
clogHistMsgName 1.3.6.1.4.1.9.9.41.1.2.3.1.4 DisplayString
clogHistMsgText 1.3.6.1.4.1.9.9.41.1.2.3.1.5 DisplayString
clogHistTimestamp 1.3.6.1.4.1.9.9.41.1.2.3.1.6 TimeStamp
}
DESCRIPTION
"When a syslog message is generated by the device a
clogMessageGenerated notification is sent. The
sending of these notifications can be enabled/disabled
via the clogNotificationsEnabled object."
-- 1.3.6.1.4.1.9.9.41.2.0.1
DX NetOps Spectrum's documentation provides a good explanation of this process.
Syslog Trap Support documentation
Event 0x210c0e is the default event Spectrum creates for Syslog traps. If Spectrum cannot find any event to map the Syslog traps from the following three files or in the custom folder, Spectrum would generate this Syslog Event 0x210c0e.
$SPECROOT>/SS/CsVendor/Ctron_CAT/Switch.txt$SPECROOT>/SS/CsVendor/CiscoPIX/Pix.txt$SPECROOT>/SS/CsVendor/Cisco_Router/Rtr.txt
The trap comes in formatted as such:
FACILITY-SEVERITY-MNEMONIC: Message-text
Spectrum then parses the above files for a match. If no match is found, it then processes to 0x210c0e.
From the Event Message provided:
L2-L2VPN_PW-3-UPDOWN: Pseudowire with address 172.xx.yy.zz, id 1740:115 EVPN, state is changed to: Up
L2-L2VPN_PW-3-UPDOWN: Pseudowire with address 172.xx.yy.zz, id 1740:115 EVPN, state is changed to: Down
Where:
- <
FACILITY> = L2-L2VPN_PW - <
SEVERITY> = 3 - <
MNEMONIC> = UPDOWN
Here are the detailed steps to implement this customization:
1. Create the $SPECROOT/custom/Events/Rtr.txt file (if it does not exist) on the SpectroSERVER host and add the following:
L2-L2VPN_PW 3 UPDOWN 0xfff00001
Note: You must have an EventDisp file in the same directory as the Rtr.txt file.
2. Create the $SPECROOT/custom/Events/EventDisp file (if it does not exist) on the SpectroSERVER host and add the following:
The following Event Procedure in 0xfff00001 event code will extract the IP address, id, state, and it will add the Dynamic Alarm Title into the 0x12b4c alarm attribute ID. The IP address value is stored to the variable 6, id value is stored to the variable 7, state value is stored to the variable 8.
0xfff00001 P" \
CreateEventWithVariables( \
{C CURRENT_MODEL}, \
{H 0xfff00002}, \
SetEventVariable( \
SetEventVariable( \
SetEventVariable( \
SetEventVariable( \
GetEventVariableList(), \
{U 6}, \
GetRegexp(GetEventVariable( \
{U 4}), \
{S \"((?:\\\\d+\\\\.){3}\\\\d+)\"}, \
{U 1})), \
{U 7}, \
GetRegexp(GetEventVariable( \
{U 4}), \
{S \"id ([^ ]+)\"}, \
{U 1})), \
{U 8}, \
GetRegexp(GetEventVariable( \
{U 4}), \
{S \"([^ ]+)$\"}, \
{U 1})), \
{H 0x12b4c}, \
GetEventVariable({U 4})) \
)"
0xfff00002 E 0
3. Go to the OneClick Console and click on the "Update Event Configuration" button under the SpectroSERVER Control subview of the VNM model to load the changed you did in the $SPECROOT/custom/Events/ directory into the SpectroSERVER memory.
4. Set the Conditional Alarm Severity for the 0xfff00002 event code. Supply the Event Message.
Click on the Configure button.
5. Click on the "+" button to add new conditional severity mapping.
6. Supply the Severity Mapping filename and directory. Add the Value and Severity. And then click on OK button.
7. Click on OK button.
8. Save the change.
9. Once saved, the $SPECROOT/custom/Events/EventDisp file will be updated as follows:
0xfff00001 E 0 P" CreateEventWithVariables( {C CURRENT_MODEL}, {H 0xfff00002}, SetEventVariable( SetEventVariable( SetEventVariable( SetEventVariable( GetEventVariableList(), {U 6}, GetRegexp(GetEventVariable( {U 4}), {S \"((?:\\\\d+\\\\.){3}\\\\d+)\"}, {U 1})), {U 7}, GetRegexp(GetEventVariable( {U 4}), {S \"id ([^ ]+)\"}, {U 1})), {U 8}, GetRegexp(GetEventVariable( {U 4}), {S \"([^ ]+)$\"}, {U 1})), {H 0x12b4c}, GetEventVariable({U 4})) )"
0xfff00002 E 0 A { v 8 CA.syslog_L2-L2VPN_PW },0xfff00002,6,7
And the $SPECROOT/custom/Events/CA/Severity/syslog_L2-L2VPN_PW file will be created.
Note: The Event Procedure cannot be edit from the Event Configuration Editor. Use a regular text editor.
10. Supply the Event Message for the 0xfff00001 event code. You can copy from the 0x210d40 event code.
Once a new trap is processed where the state is Down, a Major alarm will be asserted with Cause Code 0xfff00002.
The Alarm Title has the value from variable 4 (clogHistMsgTxt).
Once the state is Up, the alarm will be cleared.
Additional Information
Feedback
