Thanks kevin,
Was wondering does SCOM treat the Syntax types in different was as the varbind
I am interested in is Syntax Octects I have used you post to text by matching
against ALERT_POLICY_NAME but each subsequent alert has no date in any of the
varbinds?
Here is a received trap with the server names etc. redacted.
.1.3.6.1.2.1.1.3.0 Timeticks 191876266
.1.3.6.1.6.3.1.1.4.1.0 Oid .1.3.6.1.4.1.1302.3.12.10.2.0.4
.1.3.6.1.4.1.1302.3.12.10.1.1 Octets SCOM
.1.3.6.1.4.1.1302.3.12.10.1.2 Octets 1210741 Active Job Completed with Exit
Status 0
.1.3.6.1.4.1.1302.3.12.10.1.3 Octets Alert Raised on: 04 May 2017 16:17 Job:
2150593 Tree Type : Server Tree Name : ALL MASTER SERVERS Nodes : XXX.XXX.XX
Job Policy: XXXXXXXXX Exit Status: 0 (the requested operation was successfully
completed) Client: XX New State: Done Alert Policy: XXXX OpsCenter Server: XX
Comment:
.1.3.6.1.4.1.1302.3.12.10.1.4 Octets ALERT_POLICY_NAME
.1.3.6.1.4.1.1302.3.12.10.1.5 Octets
.1.3.6.1.4.1.1302.3.12.10.1.6 Octets
.1.3.6.1.4.1.1302.3.12.10.1.7 Octets XXXX
.1.3.6.1.4.1.1302.3.12.10.1.8 Octets XXXX
.1.3.6.1.4.1.1302.3.12.10.1.9 Octets .1.3.6.1.4.1.1302.3.12.10.1.10 Octets
.1.3.6.1.4.1.1302.3.12.10.1.11 Octets Informational
.1.3.6.1.4.1.1302.3.12.10.1.12 Octets Thu May 04 16:17:20 BST 2017
Using your example against my alert rule:
<ConditionDetection ID="FilterSpecificVarbind"
TypeID="System!System.ExpressionFilter">
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery
Type="String">EventData/DataItem/SnmpVarBinds/SnmpVarBind[6]/Value</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">ALERT_POLICY_NAME</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</ConditionDetection>
Peter Hakesley | Monitoring & Automation Technical Lead Engineer, Data Centre
Services
t: +44(0)845 155 6556 ext: 4006
e: [email protected] | w: www.scc.com<http://www.scc.com/>
a: SCC, CV1, Cole Valley, 20 Westwood Avenue, Tyseley, Birmingham B11 3RZ
From: [email protected] [mailto:[email protected]] On
Behalf Of Kevin Holman
Sent: 03/May/2017 17:06
To: [email protected]
Subject: [msmom] RE: SNMP Trap Correlation
Yes - you can alert on specific traps with specific data in a varbind - my blog
article referenced has an exact example of that. My example uses "equal" but
this can be changed to a contains or matches regular expression example easily.
However - SCOM supports outputting the whole varbind to the alert description.
If you want to manipulate the data in a varbind, and not output all of it, or
do advanced stuff with data in a varbind - you have to run a script writeaction
or datasource in response to the trap. This would be a bit of a complex
datasource that combines the SNMP trap provider, and a script that runs, with
the first module passing data to the second, then the script takes the varbind
information in as a parameter, then manipulates it as required. Not simple,
but totally doable.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Pete Hakesley
Sent: Wednesday, May 3, 2017 9:54 AM
To: [email protected]<mailto:[email protected]>
Subject: [msmom] SNMP Trap Correlation
Hi all,
Environment: SCOM 2012 R2 UR9
Have been using Kelvin's excellent blog post about SNMP traps
https://blogs.technet.microsoft.com/kevinholman/2015/02/03/snmp-trap-monitoring-with-scom-2012-r2/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs.technet.microsoft.com%2Fkevinholman%2F2015%2F02%2F03%2Fsnmp-trap-monitoring-with-scom-2012-r2%2F&data=02%7C01%7Ckevin.holman%40microsoft.com%7C8adb742dae6647370d2708d4923508d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636294203869278520&sdata=AV5BmxHvWooTcRXlq42LOQLf0C00JYh%2BC5ZQMtRuYc0%3D&reserved=0>
I am currently trying to write a management pack for NetBackup 8 as one
currently does not exist.
I have managed to get the Traps in SCOM but now need to look at correlation.
Below I have an example of a drive down(ACTIVE) and up(CLEAR). Semantics aside
I would like to know if it is possible to correlate SNMP traps using a varbind
and some of the text to match a CLEAR to ACTIVE in this case.
I also want to do this with JOB failure/success messages.
It would be nice to strip out text from the varbind e.g. 1207889 Clear Drive
IBM.ULT3580-TD5.002 Down {remove the 1207889 from the SNMP variable)
Has anyone does this kind of thing before and an example would be useful as I
am a novice at XML and mgt writing/creating.
Thanks.
## Drive Up Tarp
varbind1 : .1.3.6.1.2.1.1.3.0 Timeticks 182867471
varbind2 : .1.3.6.1.6.3.1.1.4.1.0 Oid .1.3.6.1.4.1.1302.3.12.10.2.0.1
varbind3 : .1.3.6.1.4.1.1302.3.12.10.1.1 Octets public
varbind4 : .1.3.6.1.4.1.1302.3.12.10.1.2 Octets 1207889 Clear Drive
IBM.ULT3580-TD5.002 Down
varbind5 : .1.3.6.1.4.1.1302.3.12.10.1.3 Octets Alert Raised on: 03 May 2017
15:08 Tree Type : Server Tree Name : ALL MASTER SERVERS Nodes : OPSCENTER_SVR
Media Server: MEDIA_SVR Drive Name: IBM.ULT3580-TD5.002 Drive Number: 4 Robot
Number: 0 Alert Policy: POLICY_NAME Device Path: {8,0,4,0} OpsCenter Server:
OPSCENTER_SVR Comment:
varbind6 : .1.3.6.1.4.1.1302.3.12.10.1.4 Octets POLICY_NAME
varbind7 : .1.3.6.1.4.1.1302.3.12.10.1.5 Octets
varbind8 : .1.3.6.1.4.1.1302.3.12.10.1.6 Octets
varbind9 : .1.3.6.1.4.1.1302.3.12.10.1.7 Octets OPSCENTER_SVR
varbind10 : .1.3.6.1.4.1.1302.3.12.10.1.8 Octets OPSCENTER_SVR _FQDN
varbind11 : .1.3.6.1.4.1.1302.3.12.10.1.9 Octets
varbind12 : .1.3.6.1.4.1.1302.3.12.10.1.10 Octets
varbind13 : .1.3.6.1.4.1.1302.3.12.10.1.11 Octets Informational
varbind14 : .1.3.6.1.4.1.1302.3.12.10.1.12 Octets Wed May 03 15:08:38 BST 2017
## Drive Down Trap
Object Identifier Syntax Value
.1.3.6.1.2.1.1.3.0 Timeticks 182824024
.1.3.6.1.6.3.1.1.4.1.0 Oid .1.3.6.1.4.1.1302.3.12.10.2.0.1
.1.3.6.1.4.1.1302.3.12.10.1.1 Octets public
.1.3.6.1.4.1.1302.3.12.10.1.2 Octets 1207889 Active Drive IBM.ULT3580-TD5.002
Down
.1.3.6.1.4.1.1302.3.12.10.1.3 Octets Alert Raised on: 03 May 2017 15:08 Tree
Type : Server Tree Name : ALL MASTER SERVERS Nodes : OPSCENTER_SVR Media
Server: MEDIA_SVR Drive Name: IBM.ULT3580-TD5.002 Drive Number: 4 Robot Number:
0 Alert Policy: POLICY_NAME Device Path: {8,0,4,0} OpsCenter Server:
OPSCENTER_SVR Comment:
.1.3.6.1.4.1.1302.3.12.10.1.4 Octets POLICY_NAME
.1.3.6.1.4.1.1302.3.12.10.1.5 Octets
.1.3.6.1.4.1.1302.3.12.10.1.6 Octets
.1.3.6.1.4.1.1302.3.12.10.1.7 Octets OPSCENTER_SVR
.1.3.6.1.4.1.1302.3.12.10.1.8 Octets OPSCENTER_SVR _FQDN
.1.3.6.1.4.1.1302.3.12.10.1.9 Octets
.1.3.6.1.4.1.1302.3.12.10.1.10 Octets
.1.3.6.1.4.1.1302.3.12.10.1.11 Octets Critical
.1.3.6.1.4.1.1302.3.12.10.1.12 Octets Wed May 03 15:08:38 BST 2017
Peter Hakesley | Monitoring & Automation Technical Lead Engineer, Data Centre
Services
t: +44(0)845 155 6556 ext: 4006
e: [email protected]<mailto:[email protected]> | w:
www.scc.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.scc.com%2F&data=02%7C01%7Ckevin.holman%40microsoft.com%7C8adb742dae6647370d2708d4923508d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636294203869278520&sdata=gwetNDOXuziRiZb%2BMoZN3bxBCchi7BjNVeQNO8Vseik%3D&reserved=0>
a: SCC, CV1, Cole Valley, 20 Westwood Avenue, Tyseley, Birmingham B11 3RZ
