I am trying to pull together information on event processing from the Badger
book, the Admin Guide, the Developer Guide, FAQs, Hints & Tips and various
appends on these fora. I hope to publish something eventually. I would very
much appreciate input and comment on this.
Currently, I am struggling with terminology and names - some of which may have
been used loosely in various documents. For example, an event has both an
EventKey field and an EventClassKey field. What is the difference?? I think
the EventClassKey is what I specify when generating new Event Class Mappings
and is the field that is generally used to start the processing of an event -
(often the same as the component field, the syslog tag or the message summary)
- true? If so, what is the EventKey?
Some events don't have an EventClassKey - so how do those events start their
processing?
For those events that do have an EventClassKey, how is it populated?
Event Class, Event Class Mapping and Event Class Instances
=======================================
I am thoroughly confused between these 3 things. Can anyone spell out a
definition for each and how they are inter-related?
I have also found several appends that say that "the Event Class Key must match
the name of the Event Class Instance". However, if I look down /Events/Ignore
I find an Event Class Mapping (which is product-provided) called
defaultmapping_local7. If I go to the edit tab for this mapping, it shows the
"Name" (of the Event Mapping or the Event Instance ?????) as
defaultmapping_local7 and the EventClassKey as defaultmapping. Does this
work??
My stab at these would be:
An Event Class is a label for categorising events. For example, Event Commands
can be run using Event Class as a possible filter. Appendix B of the Admin
Guide or Appendix A of the Badger book document the allowable fields in an
Event Class.
An event arriving at Zenoss may be generated internally by a failed ping, from
a remote Unix syslog, from a remote Windows Event Log, from a remote Cisco
router issuing an SNMP TRAP, etc.... The "native format" is parsed by magic
('cos I can't see where it is done) into the afore-mentioned Event Class
format. Some of the Event Class fields are populated at this stage; some are
populated later. For example, the facility and priority fields are populated
from the data supplied in a syslog event so they will be populated at this
stage (if it is a syslog event).
We then need to categorize the event - this is known as mapping and it's main
purpose is to assign an Event Class - it is implemented by another piece of
unknown magic. It apparently starts by looking to see if the EventClassKey
field is filled in. If it is, it uses the value in this field to search for an
Event Class Mapping (or is it Instance???) definition with the same name. If
there are several Event Class Mappings with the same name, these are different
Event Class Instances of an Event Class Mapping and they are distinguished by
their sequence number (amongst other things). The sequence number gives the
order in which to process the different instances of the Event Mappings with
the same name. (Am I still on the right track????)
The Event Class Mapping can use rules and regular expressions to help map the
incoming event into an Event Class. If there are several instances of a
mapping then the sequence number defines the order to try the various mappings
and Event Class processing stops as soon as a matching Event Class is found.
If the incoming event does not match the rule / regex / example of the first
instance, it tries the second, and so on.
If a match is found, there is an opportunity to populate / change other fields
of the event using the Transform option of the Event Mapping configuration.
Questions
======
1) Does the Example field of an Event Mapping specify a littoral value to
match, rather then using the Rule / Regex fields to match parameterised input?
I think so.
2) If I use the Rule or Regex boxes of the Event Mapping dialog then I believe
I can specify exact or partial matches for various fields of the incoming
event. But many of the as-shipped Event Mappings just have the Example box
filled in. What field of the incoming event is being matched with this Example
text? Can it be changed?
3) What happens to an event where the "magic parser" does not populate the
EventClassKey field?? How does it find an Event Mapping to find an Event
Class??
4) What would I use the "Resolution" box in the Event Mapping for? Is it
effectively just another explanation box whose information can only be seen
from the Event Mapping Status / Edit dialogs - or can it be used to help the
user at an Event Console?
5) What implements the "magic parser"?
6) What implements the "magic mapper"?
7) How do I find out (print a list of) the default mapping of events to
classes? Where are they stored?
All comments and help gratefully appreciated!
Cheers,
Jane
-------------------- m2f --------------------
Read this topic online here:
http://forums.zenoss.com/viewtopic.php?p=26412#26412
-------------------- m2f --------------------
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
