You are on page 1of 21

SPECTRUM IM

Infrastructure Events and Alerts


Overview

Event Management and Correlation


Event Rules Condition Correlation Event Procedures Event Integration South-Bound-GW

Event Notifications

SSA 3.0: Service AND Event/Alert Umbrella


DACHSUG 2011

Infrastructure Events and Alerts

What is an Event versus an Alarm?

Events An event is a SPECTRUM object that indicates that something significant has occurred within SPECTRUM itself or within the managed environment. Can be created also manually through Event Configuration Editor, imported via MIB Tools or created by editing the Event Configuration Files. Alarms - An alarm is a SPECTRUM object that indicates that a user-actionable, abnormal condition exists in a model. Typically, SPECTRUM generates an alarm when an event specifies that one should be created. SPECTRUM can also generate an alarm based on the results of a SpectroWATCH violation, or as a result of SPECTRUM detecting an abnormal situation not based on an event (inference handler based).

Events in Spectrum Oneclick

Alarms in Spectrum Oneclick ECE

Alarms information in Spectrum Oneclick


PCause code is specified for each alarm that displays the Probable Cause information for an alarm.
PCause files control what is displayed in the Probable Cause information.

PCause files are static, event variables


information. The dynamic alarm title attribute can be populated with an Event Variable. This allows for a single Probable cause to have a dynamic alarm title. The dynamic varbind ID is 76620 (or 0x12b4c). See Event Configuration User Guide.pdf

Example: Trap Forwarding of external Managers and Event/Alarming in SPECTRUM


Example: Checkpoint FW Manager
File AlertMap > Maps Trap to Event 00561001 SS/CsVendor/<customer>_Checkpoint Content: 1.3.6.1.4.1.2620.1.1.6.0 0x561001 1.3.6.1.4.1.2620.1.1.11.0(101,0) -------------------------------------------File: EventDisp > Maps Event to Alarm 0x00561001 Content: 0x00561001 E 50 A 1,0x00561001,U -----------------------------------------File: CsEvFormat/00561001 > Event Message Content: {d "%w- %d %m-, %Y - %T"} - Device {m} of type {t} generated. Event Message is: {S 101}.(event [{e}]) --------------------------------------------File: CsPCause/Prob00561001 > Alarm Message Content: FIREWALL STATUS ALARM SYMPTOMS: A Firewall System status is over the treshold. PROBABLE CAUSES: 1) A Trap from the firewall system was send 2) Firewall System has to high system usage RECOMMENDED ACTIONS: 1) Check the Event Message in the SPECTRUM Alarm Manager 2) Inform the Firewall Administrator 3) Check the thresholds on the Firewall System ---------------------------------------------

Event Management and Correlation

Spectrum Event Correlation


Fault Suppression
Downstream device fault suppression (including VPM) Child (Port/Process) suppression Port flapping Other default EventRules based Correlations

Alarm De-duplication
Recurring events for the same

field of the existing alarm.

Alarm Filtering
from alarm console. Secondary alarms are just those with a lesser severity.

Extending Event Correlation


There are a number of ways that SPECTRUM Event Correlation capabilities can be updated and enhanced. They are listed below:
1. Simple Event Configuration updates
This includes specifying which events generate/clear alarms and event variables to discriminate. In addition, event and alarm descriptions can be modified and enriched.

2.

Event Rules
Event rules allow for events to be correlated on individual models (of the same modeltype).

3.

Condition Correlation
Condition correlation allows for multiple events to be correlated across groups of models. Events (or the be inferred.

4.

Event Procedures Complex expressions that allow for events to be manipulated at a very granular level,
including creating new event variables and asserting events on models other than the source (between different models(types)).

5.

You can also influence the automatic Faultisoltion Event and Alarming behavior

Inductive Modeling Technology Setting Fault Isolation Parameters

1. 2.

Settings in Component Details view of the VNM model See also for example Modeling and Managing Your IT Infrastructure Administrator Guide.pdf

Event Rules
Event Rules permit you to specify a more INTELLIGENT decision-making to indicate how an event is to be processed. Event rules allow you to correlate multiple events on the same model, not to groups of models. Event Rules available: Event Condition Event Pair Event Rate Event Series Event Counter Hearbeat Single Event Solo Event

Examples: Event Pair & Event Condition

GUI

ConditionEventRule for SPM Tests: Generate event(alarm) 0xfffffffa only, if var.1 (SPM-Test name) starts with AUA , and deliver Var 1,2,3,9
0x0456000b E 20 R Aprisma.EventCondition, "regexp({v 1},{S \ \*\"})", "0xfffffffa 1:1,2:2,3:3,9:9"

EventDisp File

Example: SPECTRUM Condition Correlation Editor


LSP Alarms generate one MPLS Backbone Error Alarm

Create Condition: left side (eg Error

Backbone Error

(type: counts) these but show as symptomes

Example: Event Procedures (in EventDisp Files)


# wenn Event beecc001 erzeugt wird, fhre folgende Procedure aus ( Johannes Kroupa , CA) # Ziel: wenn dieser SPM-Event/Alarm auf dem Device erzeugt wird, dann soll auch ein Event/Alarm auf dem entsprechenden Port erzeugt und ausgewertet werden
0xbeecc001 E 50 P " \ ForEach( \ GetModelsByAttrValue( \ { H 0x10069 }, \ ReadAttribute( \ { C CURRENT_MODEL }, \ { H 0x129fa } )), \ { V portMh }, \ { V dummyRetValue }, \ { U 0 }, \ If( \ Equals( \ ReadAttribute( \ { V portMh }, \ { H 0x11348 } ), \ GetEventVariable( { U 1 } )), \ CreateEventWithAttributes( \ { V portModel }, \ { H 0xbeecc002 }, \ GetEventAttributeList()), \ Nil()))"
Die Proc findet zuerst mal alle Modelle (GetModelsByAttrValue), d.h. alle Ports (und Apps..) des Devices. in der Schleife behandelt). Dann Check, ob ifIndex (0x11348) am Port derselbe ist wie Varbind 1 im Event, um den richtigen Port zu finden. (z.B. hier dann IP Adresse) Dann, falls der Port matched (hier z.B. ifIndex), wird ein neuer Event auf ihm generiert (0xbeecc002), mit denselben Varbinds wie der ursprngliche Event. Falls der Port nichts matched, wird auch nichts gemacht (Nil()).

CA Event Integration (EI) - Architecture

Southbound Gateway Non-SNMP, LogFiles (SYSLOGs !), DBs , V.24 and others
Events and Traps from different Sources For example Logfiles, Traps, Element Managers via XML, SNMP and CORBA etc.
Vendor Specific EMS via Trap Vendor Specific EMS via XML

double click

Event Notification

Alarm Notification

CA Spectrum, alarm-processing applications and SANM (Policy Manager) work together in the alarm monitoring process.

thank you