Look good to me. Did you create a "catch all" SNMP trap collection rule and look at the data how it is seen inside SCOM?
From: [email protected] [mailto:[email protected]] On Behalf Of Pete Hakesley Sent: Thursday, May 4, 2017 10:28 AM To: [email protected] Subject: [msmom] RE: SNMP Trap Correlation Thanks kevin, Was wondering does SCOM treat the Syntax types in different was as the varbind I am interested in is Syntax Octects I have used you post to text by matching against ALERT_POLICY_NAME but each subsequent alert has no date in any of the varbinds? Here is a received trap with the server names etc. redacted. .1.3.6.1.2.1.1.3.0 Timeticks 191876266 .1.3.6.1.6.3.1.1.4.1.0 Oid .1.3.6.1.4.1.1302.3.12.10.2.0.4 .1.3.6.1.4.1.1302.3.12.10.1.1 Octets SCOM .1.3.6.1.4.1.1302.3.12.10.1.2 Octets 1210741 Active Job Completed with Exit Status 0 .1.3.6.1.4.1.1302.3.12.10.1.3 Octets Alert Raised on: 04 May 2017 16:17 Job: 2150593 Tree Type : Server Tree Name : ALL MASTER SERVERS Nodes : XXX.XXX.XX Job Policy: XXXXXXXXX Exit Status: 0 (the requested operation was successfully completed) Client: XX New State: Done Alert Policy: XXXX OpsCenter Server: XX Comment: .1.3.6.1.4.1.1302.3.12.10.1.4 Octets ALERT_POLICY_NAME .1.3.6.1.4.1.1302.3.12.10.1.5 Octets .1.3.6.1.4.1.1302.3.12.10.1.6 Octets .1.3.6.1.4.1.1302.3.12.10.1.7 Octets XXXX .1.3.6.1.4.1.1302.3.12.10.1.8 Octets XXXX .1.3.6.1.4.1.1302.3.12.10.1.9 Octets .1.3.6.1.4.1.1302.3.12.10.1.10 Octets .1.3.6.1.4.1.1302.3.12.10.1.11 Octets Informational .1.3.6.1.4.1.1302.3.12.10.1.12 Octets Thu May 04 16:17:20 BST 2017 Using your example against my alert rule: <ConditionDetection ID="FilterSpecificVarbind" TypeID="System!System.ExpressionFilter"> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">EventData/DataItem/SnmpVarBinds/SnmpVarBind[6]/Value</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">ALERT_POLICY_NAME</Value> </ValueExpression> </SimpleExpression> </Expression> </ConditionDetection> Peter Hakesley | Monitoring & Automation Technical Lead Engineer, Data Centre Services t: +44(0)845 155 6556 ext: 4006 e: [email protected]<mailto:[email protected]> | w: www.scc.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.scc.com%2F&data=02%7C01%7Ckevin.holman%40microsoft.com%7Cb0462c3a3e7a416c30a908d493030a40%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636295088652808020&sdata=5zAMbFeW1F9q%2FgSVVXk0z3dao8uSgavooqnXTFW%2FeyE%3D&reserved=0> a: SCC, CV1, Cole Valley, 20 Westwood Avenue, Tyseley, Birmingham B11 3RZ From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kevin Holman Sent: 03/May/2017 17:06 To: [email protected]<mailto:[email protected]> Subject: [msmom] RE: SNMP Trap Correlation Yes - you can alert on specific traps with specific data in a varbind - my blog article referenced has an exact example of that. My example uses "equal" but this can be changed to a contains or matches regular expression example easily. However - SCOM supports outputting the whole varbind to the alert description. If you want to manipulate the data in a varbind, and not output all of it, or do advanced stuff with data in a varbind - you have to run a script writeaction or datasource in response to the trap. This would be a bit of a complex datasource that combines the SNMP trap provider, and a script that runs, with the first module passing data to the second, then the script takes the varbind information in as a parameter, then manipulates it as required. Not simple, but totally doable. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Pete Hakesley Sent: Wednesday, May 3, 2017 9:54 AM To: [email protected]<mailto:[email protected]> Subject: [msmom] SNMP Trap Correlation Hi all, Environment: SCOM 2012 R2 UR9 Have been using Kelvin's excellent blog post about SNMP traps https://blogs.technet.microsoft.com/kevinholman/2015/02/03/snmp-trap-monitoring-with-scom-2012-r2/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs.technet.microsoft.com%2Fkevinholman%2F2015%2F02%2F03%2Fsnmp-trap-monitoring-with-scom-2012-r2%2F&data=02%7C01%7Ckevin.holman%40microsoft.com%7C8adb742dae6647370d2708d4923508d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636294203869278520&sdata=AV5BmxHvWooTcRXlq42LOQLf0C00JYh%2BC5ZQMtRuYc0%3D&reserved=0> I am currently trying to write a management pack for NetBackup 8 as one currently does not exist. I have managed to get the Traps in SCOM but now need to look at correlation. Below I have an example of a drive down(ACTIVE) and up(CLEAR). Semantics aside I would like to know if it is possible to correlate SNMP traps using a varbind and some of the text to match a CLEAR to ACTIVE in this case. I also want to do this with JOB failure/success messages. It would be nice to strip out text from the varbind e.g. 1207889 Clear Drive IBM.ULT3580-TD5.002 Down {remove the 1207889 from the SNMP variable) Has anyone does this kind of thing before and an example would be useful as I am a novice at XML and mgt writing/creating. Thanks. ## Drive Up Tarp varbind1 : .1.3.6.1.2.1.1.3.0 Timeticks 182867471 varbind2 : .1.3.6.1.6.3.1.1.4.1.0 Oid .1.3.6.1.4.1.1302.3.12.10.2.0.1 varbind3 : .1.3.6.1.4.1.1302.3.12.10.1.1 Octets public varbind4 : .1.3.6.1.4.1.1302.3.12.10.1.2 Octets 1207889 Clear Drive IBM.ULT3580-TD5.002 Down varbind5 : .1.3.6.1.4.1.1302.3.12.10.1.3 Octets Alert Raised on: 03 May 2017 15:08 Tree Type : Server Tree Name : ALL MASTER SERVERS Nodes : OPSCENTER_SVR Media Server: MEDIA_SVR Drive Name: IBM.ULT3580-TD5.002 Drive Number: 4 Robot Number: 0 Alert Policy: POLICY_NAME Device Path: {8,0,4,0} OpsCenter Server: OPSCENTER_SVR Comment: varbind6 : .1.3.6.1.4.1.1302.3.12.10.1.4 Octets POLICY_NAME varbind7 : .1.3.6.1.4.1.1302.3.12.10.1.5 Octets varbind8 : .1.3.6.1.4.1.1302.3.12.10.1.6 Octets varbind9 : .1.3.6.1.4.1.1302.3.12.10.1.7 Octets OPSCENTER_SVR varbind10 : .1.3.6.1.4.1.1302.3.12.10.1.8 Octets OPSCENTER_SVR _FQDN varbind11 : .1.3.6.1.4.1.1302.3.12.10.1.9 Octets varbind12 : .1.3.6.1.4.1.1302.3.12.10.1.10 Octets varbind13 : .1.3.6.1.4.1.1302.3.12.10.1.11 Octets Informational varbind14 : .1.3.6.1.4.1.1302.3.12.10.1.12 Octets Wed May 03 15:08:38 BST 2017 ## Drive Down Trap Object Identifier Syntax Value .1.3.6.1.2.1.1.3.0 Timeticks 182824024 .1.3.6.1.6.3.1.1.4.1.0 Oid .1.3.6.1.4.1.1302.3.12.10.2.0.1 .1.3.6.1.4.1.1302.3.12.10.1.1 Octets public .1.3.6.1.4.1.1302.3.12.10.1.2 Octets 1207889 Active Drive IBM.ULT3580-TD5.002 Down .1.3.6.1.4.1.1302.3.12.10.1.3 Octets Alert Raised on: 03 May 2017 15:08 Tree Type : Server Tree Name : ALL MASTER SERVERS Nodes : OPSCENTER_SVR Media Server: MEDIA_SVR Drive Name: IBM.ULT3580-TD5.002 Drive Number: 4 Robot Number: 0 Alert Policy: POLICY_NAME Device Path: {8,0,4,0} OpsCenter Server: OPSCENTER_SVR Comment: .1.3.6.1.4.1.1302.3.12.10.1.4 Octets POLICY_NAME .1.3.6.1.4.1.1302.3.12.10.1.5 Octets .1.3.6.1.4.1.1302.3.12.10.1.6 Octets .1.3.6.1.4.1.1302.3.12.10.1.7 Octets OPSCENTER_SVR .1.3.6.1.4.1.1302.3.12.10.1.8 Octets OPSCENTER_SVR _FQDN .1.3.6.1.4.1.1302.3.12.10.1.9 Octets .1.3.6.1.4.1.1302.3.12.10.1.10 Octets .1.3.6.1.4.1.1302.3.12.10.1.11 Octets Critical .1.3.6.1.4.1.1302.3.12.10.1.12 Octets Wed May 03 15:08:38 BST 2017 Peter Hakesley | Monitoring & Automation Technical Lead Engineer, Data Centre Services t: +44(0)845 155 6556 ext: 4006 e: [email protected]<mailto:[email protected]> | w: www.scc.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.scc.com%2F&data=02%7C01%7Ckevin.holman%40microsoft.com%7C8adb742dae6647370d2708d4923508d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636294203869278520&sdata=gwetNDOXuziRiZb%2BMoZN3bxBCchi7BjNVeQNO8Vseik%3D&reserved=0> a: SCC, CV1, Cole Valley, 20 Westwood Avenue, Tyseley, Birmingham B11 3RZ
