Newbie questions on EM 2

[bwhinnen]

I've recently been asked to do event management with Unicenter, previously having used OpenView extensively.

I have no formal documentation at present but hopefully will be getting it soon. Its Unicenter NSM 3.1 on a Windows platform. The issue I have is I have the following events (messages)

%CATD_I_060, SNMPTRAP: -c public 9 192.168.174.254 UNRESOLVED 6 1 1872:14:09 3 OID: 1.3.6.1.4.1.9.9.43.1.1.6.1.3.96 .iso.org.dod.internet.private.enterprises.9.9.43.1.1.6.1.3.96 VALUE: 1 OID: 1.3.6.1.4.1.9.9.43.1.1.6.1.4.96 .iso.org.dod.internet.private.enterprises.9.9.43.1.1.6.1.4.96 VALUE: 2 OID: 1.3.6.1.4.1.9.9.43.1.1.6.1.5.96 .iso.org.dod.internet.private.enterprises.9.9.43.1.1.6.1.5.96 VALUE: 3

Coming into the EM, they are all processed via catrapd as they are SNMP traps sent from routers, switches, UPS's etc. The biggest problem I am having is how do I set up a MessageID to match them. I know I can use the program as *catrapd.exe to match the ones that have come through via this mechanism. I'll be then processing them via perl script and sending them out to a pager if required using the COMMAND action.

Thanks in advance
Brett

 

[dhauser]

I am rather new to CA but from my experence I would check with the router companies and see if they have a add-on function for CA. You may be able to install a package from them that will load the MIBs that you need to interpret the traps you are recieving.


Dan

 

[dhauser]

I just took a look at my server and it looks like you can open the Event Browser, right click on the event, and select MIB Browser. This should bring up the MIB Browser and allow you to define messages for thoes traps. However I think it would be better if you could get the MIBs from the makers of the devices that are sending the traps and load those MIBs. That would give you a better idea of problems with the hardware.

Dan

 

[shazbat]

Brett,

Does the following example help?

efine msgrec
msgid="%CATD_I_060, SNMPTRAP: -c public 2 *"
type="MSG"
msgnode="*"
desc="Processes Traps forwarded from the 3494 Tape Library - LIBMGR01"
cont='N'
msgact='Y'
wcsingle='?'
wcmany='*'
case="y"
regexp="n"

 

[bwhinnen]

Thanks for the responses.

I had a msgid of %CATD_I_060* and that didn't seem to pick it up, do I need to be more specific with it such as in your example?

Cheers
Brett

 

[croftilicious]

Getting the MIB from the manufacturer will help you manually interpret the traps, however for the DSM to do anything very automated, you'd have to create policy files (eg .dat and .cnf) for the router "agent" for the DSM to be able to interpret the traps.

 

[bwhinnen]

I don't need the DSM to interpret the trap, just forward the whole trap onto a script. The script will have the smarts built in to only pick the traps I want to look at. Its just the initial getting all SNMP traps sent to the script that I'm getting stuck with.

It was so much easier with OpenView, load the MIB, have the info for the Trap loaded, configure action script...

Cheers
brett

 

[george88]

Re: I had a msgid of %CATD_I_060* and that didn't seem to pick it up, do I need to be more specific with it such as in your example?

%CATD_I_060* will definitely pick it up. To test it, you could define a action (e.g. sendkeep) in red color. You will see the message in red color.

I would guess that something is not working in your actions. Check event console for details.

 

[bwhinnen]

Thanks George. I had it set as sendkeep with blue colour, and had nothing come through. I wasn't even sending it to the command at that stage, I just wanted to see that the msgId was picking up the messages correctly. I'll have another go with it and see how it goes. Is it possible that something else may be grabbing it first?

Cheers
Brett

 

[george88]

The event management will pick up the most specific message. for example. if you define %CATD_I_060* and %CATD_I_060, SNMPTRAP:*, the event management will pick up the latter.
To find out, inactive all the messages start with %CATD_I_060, and leave %CATD_I_060* active, you will be able to test it.

 

[SysMan7]

Hi Brett,
Some hints though:
- the most specific msgrecord match wins the race
- do not forget to 'opreload' to activate each and every msgrecod/action change (sounds stupid but tricked me more than once
- you can automate trap formatting into more easily text to read (see NSM3.1 Admin Guide, page 5-35); this should be more useful to page/e-mail someone
- depending on the ratio received/to-be-treated traps, you would either use event mgt (high ratio) or your Perl script (low ratio) to select the traps to be treated
- know that each Perl execution invokes the creation of its environment; consider 'EmPerl' (see Unicenter Implementation CD, v3.1 -> Field Developed Utilities)
Success,
SysMan7

 

[bwhinnen]

Hi Guys,

Thanks for all your info. I ended up re-installing NSM 3.1 in its entirety and as soon as I put in the MSGID above with pink highlighting the traps started coming out pink (after an opreload of course). This never happened after the first install... Very strange indeed.

Thanks for your helpful comments SysMan7, I'll look into EmPerl, but will also now be treating traps from different enterprise streams differently anyway due to the volume I am receiving.

Cheers
Brett

 

[maxst]

Hi

I'm newbie to tek-tip, but I have been working on CA Unicenter since January 2004. I read the EM problem and I have one question. Does the EM version 3.1 work differently then EM version 3.0 on the msgID. I thought that the first msgID picked up was the one with the smaller token value and if I want that several msgIDs are pick up I checked the option "Search all message". Am I right or wrong?

It might be the answers of my problem that I have since 2 weeks. I created an msgID for two specifics nodes, which I wrote in the "Domain\node" field (with the syntax node1|node2) in the Message records detail GUI. But this msgID is always picked up whatever is the node. I have this problem since I upgrade with version 3.1 Does someone have a suggestion?

 

[jayltz1]

Here is a couple of my suggestions to help you if they help at all. I have been using Unicenter since 2.4, and the best tool of the Unicenter suite is EM. Now having said that, it is their most powerful tool, and most mysterious at the same time. Not much as far as real world examples. They have a new 277 EM class. I know because I assisted in providing class materials. So check that class it.

As far as mibs, you are correct for your HP Openview comment, by far much easier. As a former Openview man myself before CA the transistion is very frustrating. It should work like this: Request to discover device, load th mib fro the devices traps if provided, discover device, edit trap messages if needed like VAR binds, configure any further actions.

Here is the deal, unless the mib is in the out of the box install from the cd's, it is difficult. DSM policy is actually required to perform this the way you think it should work.

Workarounds:

1. Do you use ANO? If so use the trap database, and trap editor to perform the mib loading. They actually load mibs into the SQL database CAITRAPDB. Now here comes the fun part you will have to use the aws_catch, or another snmp analyzer to actually see what the raw trap looks like. CA's catrapd.exe adds on info like the catd60 stuff, and does not show all of the info in the event console. The key is the sysobjid of the device and the enterprise id. When you load the trap database and enable it you will see what I mean.

2. Now let's compare message records and the trap database. Q: don't they both do the same thing? Yes, but be smart on what you are doing.

Think about it for a minute. Message records will format, massgae, and take action off of a trap that is somewhat formatted already. Thr trap database will intercept the trap before it is seen in EM, and send to EM a pre-formatted message thagt makes sense. Got it.

3. Gotchas. Welll you knew this was coming. The trap database trap editor tool looks like someone created it in 30 minutes. So you will quickly find out that you can hand edit the table since we are talking about SQL.

If EM and the trapdatabase are running, and both have moderate loads, catrapd.exe might die alot!! Why? Well CA is not CPU intensive, but rather memory intensive(look out for SQL running away with memory, set limits manually) so if the trap you want to re-formatt is sent to EM first, which it has to, then it is seen by the ORB, sent to the trap database, reformatted, then sent back to the console. See the issue. Memory leaks, and unchecked buffers.

Hope ths helps!!!