Event and Alert Management Deployment Scenarios › Event Management Scenarios › Event Management Example 5: Normalize Monitoring Traps

Event Management Example 5: Normalize Monitoring Traps

This scenario illustrates how you can normalize events from raw event sources to the USM alert format. The SNMP connector collects traps from all trap sources that send their traps to the configured trap destination. However, because traps from different sources have different formats, detailed policy does not exist to convert those traps to the USM alert format.

The trap source normalized in this scenario is CA Systems Performance for Infrastructure Managers (powered by the CA SystemEDGE agent). The CA SystemEDGE agent monitors objects and processes and sends traps when configured thresholds are breached. This scenario normalizes the aggregate state traps that are sent when a monitor entry configured for stateful monitoring detects a threshold breach. You can manage the state of important resources and processes in the Operations Console. The examples and subsequent alert queue creation focus on process monitoring traps.

Note: This procedure normalizes aggregate state traps, which are sent when a monitor entry is configured for stateful monitoring. Monitor and process monitor traps are sent when monitors are not configured for stateful monitoring. These traps are not covered in this scenario. For more information, see the CA SystemEDGE documentation.

Follow these steps:

1. Configure CA SystemEDGE to send traps to the SNMP connector system on the SNMP connector listening port (162 by default).
2. Either generate or confirm that process monitor traps have occurred. A raw event search must return results to create a normalization action for the traps.
3. Run a raw event search for CA SystemEDGE traps as follows:
   • Select Generic SNMP Traps in the Data Source list on the Events tab to scope the search to the SNMP connector.
   • Enter the following pattern in the Event Pattern 1 field in the Event Search tab:

     snmp_enterprise='1.3.6.1.4.1.546.1.1' and snmp_specificTrap='20'
     

   Aggregate state threshold breach traps from the CA SystemEDGE agent appear in the results table.

4. Click Map Events.

   The New Policy page opens.

5. Name the policy SystemEDGEMonitors, select Normalize Event, and click Next.

   The Normalize Event page opens.

6. Establish the following mappings in the Assigned Value cells and click Next:

   Mdr Element ID: ${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.2.5}:${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.3.5}:${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.4.5}

   Maps the MdrElementID property to the monitor entry's object class, object instance, and object attribute.

   Example: Process://./OUTLOOK:Memory(KB)

   Occurrence Timestamp and Report Timestamp: fx:xsdateTime()

   Maps these properties to the current time. Find this value by right-clicking the cell and selecting Functions, fx:xsdateTime-now.

   Alert Type: Risk

   Maps the AlertType property to a static value of Risk.

   Severity: Use Map Function

   Maps the Severity property to the Current State varbind value. Right-click the cell, select Map, and map the values for varbind-1.3.6.1.4.1.546.17.1.1.6.5 to valid USM Severity values as follows using the Map function:

   Value column: USM Value column

   • 1: Unknown
   • 2: Normal
   • 3|4: Minor
   • 5: Major
   • 6: Critical
   • 7: Fatal

   Note: The Preview cell does not support map values derived through regular expressions. If the map value uses a regular expression, the Preview cell displays a message 'Mapping not found by preview'. However, the mapping itself occurs as expected in actual event policy.

   Summary: ${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.3.5} ${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.4.5} threshold breach

   Maps the Summary property to the following statement: 'objectinstance objectattribute threshold breach'.

   Example: //./OUTLOOK Memory(KB) threshold breach

   Message: ${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.3.5} ${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.4.5} ${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.17.5} on fx:fqdn(${pattern1.snmp_agent})

   Maps the Message property to the following statement: 'objectinstance objectattribute currentvalue on agentserver'.

   Example: //./OUTLOOK Memory(KB) 150380 on server1.ca.com

   Repeat Count: ${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.9.5}

   Maps the RepeatCount property to the number of traps that have been generated on this object.

   User Attribute 1: Threshold: ${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.4.5}

   Maps the User Attribute 1 property to the object attribute value.

   Example: Memory(KB)

   Note: Instead of prefixing the value with 'Threshold', you can rename the User Attribute 1 value to Threshold.

   User Attribute 2: Use Map function

   Maps the User Attribute 2 property to the monitor threshold. Map the 1.3.6.1.4.1.546.17.1.1.18.5 varbind from integers to operators as follows:

   • 1: (No operator)
   • 2: >
   • 3: <
   • 4: >=
   • 5: <=
   • 6: =
   • 7: !=

   User Attribute 3: ${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.19.5}

   Maps the User Attribute 3 property to the monitor threshold value.

   Example: 50000

   User Attribute 4: ${pattern1.varbind-1.3.6.1.4.1.546.17.1.1.2.5}

   Maps the User Attribute 4 property to the object class.

   Example: Process

   User Attribute 5: SystemEDGE trap

   Assigns 'SystemEDGE trap' as the value for User Attribute 5.

   Use the Service right-click menu to assign the AlertedMdr properties to a managed service so that the normalized event appears on that service CI.

   The Select Data Sources page opens.

7. Perform the following actions and click Next:
   1. Select Save and Deploy policy.
   2. Select Generic SNMP Traps in the Data Source Type drop-down list.
   3. Move the Generic SNMP Traps entry to the Selected Data Sources pane.

   The Confirm page opens.

8. Verify the policy information and click Finish.

   The policy deploys. Any time a CA SystemEDGE monitor entry generates an aggregate state threshold breach trap, Event Management normalizes it according to the deployed policy.

9. Return to the Event Policies dialog and run the following event search:

   userAttribute2='SystemEDGE trap'
   

   This search pattern returns all normalized CA SystemEDGE traps.

10. Click Create Policy, name the policy RefineNormalizedTraps on the New Policy page, select Create New Event, and click Next.
11. Make the following changes in the New Event table:

    User Attribute 1: Threshold: ${pattern1.userAttribute1} ${pattern1.userAttribute2} ${pattern1.userAttribute3}

    Maps the User Attribute 1-3 values in the normalized trap into a single value. The mapping provides a consolidated trap threshold statement, which includes the operator values that you mapped in the normalization action.

    Example: Memory(KB) > 50000

    Note: Instead of prefixing the value with 'Threshold', you can rename the User Attribute 1 value to Threshold.

12. Deploy the policy on the same Generic SNMP Traps connector.

    This policy takes the information in the normalized event and creates an event with a complete threshold statement in the User Attribute 1 value. The separate policy is required because normalization does not support embedded map functions in an Assigned Value cell. Therefore you cannot combine the threshold statement. The create event policy also filters out the original events to avoid duplicate alerts.

13. Create a separate policy with a filter action on the same search pattern that you entered in Step 9.

    This policy discards the original event so that only the created event with the correct threshold mapping appears in the Operations Console.

14. Select the Alert Queues tab and click Add.

    The New Alert Queue dialog opens.

15. Perform the following actions and click Next:
    1. Enter SystemEDGE Monitors in the Queue Name field.
    2. Select User Attribute (4) in the Attribute drop-down list.
    3. Select Equal To in the Comparison Type drop-down list.
    4. Enter Process in the Attribute Value field.
    5. Click Add.

    The queue criteria adds alerts with a User Attribute 4 property value of Process.

16. Complete the alert queue creation process and click Finish on the Confirm page.

    Note: You can assign escalation policies and user group access to the queue.

    The alert queue is created. The alerts for CA SystemEDGE traps with a User Attribute 4 value of Process appear in this queue. You can manage process monitoring traps together.

17. Repeat Steps 13-15 to create queues that are based on other trap properties. For example, because you isolated the key identifier properties in the User Attribute properties, you can create queues to group traps of the same object class or attribute.