ca spectrum event alarm handling-s
DESCRIPTION
CA SpectrumTRANSCRIPT
SPECTRUM IMInfrastructure Events and AlertsOverview
Event Management and CorrelationEvent Rules Condition Correlation Event ProceduresEvent IntegrationSouth-Bound-GW
Event Notifications
SSA 3.0: Service AND Event/Alert Umbrella
DACHSUG 2011
InfrastructureEvents and Alerts
What is an Event versus an Alarm?
Events An event is a SPECTRUM object that indicates that something significant
has occurred within SPECTRUM itself or within the managed environment.
Can be created also manually through Event Configuration Editor, imported via MIB
Tools or created by editing the Event Configuration Files.
Alarms - An alarm is a SPECTRUM object that indicates that a user-actionable,
abnormal condition exists in a model.
Typically, SPECTRUM generates an alarm when an event specifies that one should be
created.
SPECTRUM can also generate an alarm based on the results of a SpectroWATCH
violation, or as a result of SPECTRUM detecting an abnormal situation not based on
an event (inference handler based).
Events in Spectrum Oneclick
Alarms in Spectrum Oneclick ECE
Alarms information in Spectrum Oneclick
PCause code is specified for each alarm
that displays the Probable Cause
information for an alarm.
PCause files control what is displayed in
the Probable Cause information.
PCause files are static, event variables
information.
The dynamic alarm title attribute can be
populated with an Event Variable. This
allows for a single Probable cause to
have a dynamic alarm title.
The dynamic varbind ID is 76620 (or
0x12b4c). See Event Configuration User
Guide.pdf
Example: Trap Forwarding of external Managers and Event/Alarming in SPECTRUM
Example: Checkpoint FW ManagerFile AlertMap > Maps Trap to Event 00561001 SS/CsVendor/<customer>_CheckpointContent:1.3.6.1.4.1.2620.1.1.6.0 0x561001 1.3.6.1.4.1.2620.1.1.11.0(101,0)--------------------------------------------File: EventDisp > Maps Event to Alarm 0x00561001Content:0x00561001 E 50 A 1,0x00561001,U------------------------------------------File: CsEvFormat/00561001 > Event MessageContent:{d "%w- %d %m-, %Y - %T"} - Device {m} of type {t} generated. Event Message is: {S 101}.(event [{e}])---------------------------------------------File: CsPCause/Prob00561001 > Alarm MessageContent:FIREWALL STATUS ALARM SYMPTOMS:A Firewall System status is over the treshold.PROBABLE CAUSES:1) A Trap from the firewall system was send2) Firewall System has to high system usageRECOMMENDED ACTIONS:
1) Check the Event Message in the SPECTRUM Alarm Manager2) Inform the Firewall Administrator3) Check the thresholds on the Firewall System---------------------------------------------
Event Management and Correlation
Spectrum Event Correlation
Fault Suppression
Downstream device fault suppression (including VPM)
Child (Port/Process) suppression
Port flapping
Other default EventRules based Correlations
Alarm De-duplication
Recurring events for the same
field of the existing alarm.
Alarm Filtering
from alarm console. Secondary
alarms are just those with a lesser
severity.
Extending Event Correlation
There are a number of ways that SPECTRUM Event Correlation capabilities can be updated and
enhanced. They are listed below:
1. Simple Event Configuration updates
This includes specifying which events generate/clear alarms and event variables to discriminate.
In addition, event and alarm descriptions can be modified and enriched.
2. Event Rules
Event rules allow for events to be correlated on individual models (of the same modeltype).
3. Condition Correlation
Condition correlation allows for multiple events to be correlated across groups of models. Events (or the
be inferred.
4. Event Procedures
- Complex expressions that allow for events to be manipulated at a very granular level,
including creating new event variables and asserting events on models other than the source
(between different models(types)).
5. You can also influence the automatic Faultisoltion Event and Alarming behavior
Inductive Modeling TechnologySetting Fault Isolation Parameters
1. Settings in Component Details view of the VNM model
2. See also
for example Modeling and Managing Your IT Infrastructure Administrator Guide.pdf
Event Rules
Event Rules permit you to specify a more INTELLIGENT decision-making to indicate how an event is to
be processed.
Event rules allow you to
correlate multiple events on
the same model,
not to groups of models.
Event Rules available:
Event Condition
Event Pair
Event Rate
Event Series
Event Counter
Hearbeat
Single Event
Solo Event
Examples: Event Pair & Event Condition
ConditionEventRule for SPM Tests: Generate event(alarm) 0xfffffffa only, if var.1 (SPM-Test name) starts with AUA , and deliver Var 1,2,3,9
0x0456000b E 20 R Aprisma.EventCondition, "regexp({v 1},{S \ \*\"})", "0xfffffffa 1:1,2:2,3:3,9:9"
GUI
EventDisp File
Example: SPECTRUM Condition Correlation EditorLSP Alarms generate one MPLS Backbone Error Alarm
Create Condition: left side (eg Backbone Error (type: counts)
Error these but show as symptomes
Example: Event Procedures (in EventDisp Files)
# wenn Event beecc001 erzeugt wird, führe folgende Procedure aus ( Johannes Kroupa , CA)# Ziel: wenn dieser SPM-Event/Alarm auf dem Device erzeugt wird, dann soll auch ein Event/Alarm auf dem entsprechenden Porterzeugt und ausgewertet werden
0xbeecc001 E 50 P " \ForEach( \GetModelsByAttrValue( \
{ H 0x10069 }, \ReadAttribute( \
{ C CURRENT_MODEL }, \{ H 0x129fa } )), \
{ V portMh }, \{ V dummyRetValue }, \{ U 0 }, \If( \
Equals( \ReadAttribute( \
{ V portMh }, \{ H 0x11348 } ), \
GetEventVariable( { U 1 } )), \CreateEventWithAttributes( \
{ V portModel }, \{ H 0xbeecc002 }, \GetEventAttributeList()), \
Nil()))"
Die Proc findet zuerst mal alle Modelle (GetModelsByAttrValue), d.h. alle Ports (und Apps..) des Devices. - in der Schleife behandelt).
Dann Check, ob ifIndex (0x11348) am Port derselbe ist wie Varbind 1 im Event, um den richtigen Port zu finden. (z.B. hier dann IP Adresse)Dann, falls der Port matched (hier z.B. ifIndex), wird ein neuer Event auf ihm generiert (0xbeecc002), mit denselben Varbinds wie der ursprüngliche Event. Falls der Port nichts matched, wird auch nichts gemacht (Nil()).
CA Event Integration (EI) - Architecture
Events and Traps from different Sources
For example Logfiles, Traps, Element Managers via XML, SNMP and CORBA etc.
Southbound Gateway Non-SNMP, LogFiles (SYSLOGs !), DBs , V.24 and others
Vendor
Specific
EMS via Trap
Vendor
Specific
EMS via XML
doubleclick
Event Notification
Alarm Notification
CA Spectrum, alarm-processing applications and SANM (Policy Manager) work
together in the alarm monitoring process.
thank you