nv-l
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Rulesets + Correlation !!

2000-01-13 11:54:13
Subject: Re: Rulesets + Correlation !!
From: James Shanks <James_Shanks AT TIVOLI DOT COM>
To: nv-l AT lists.tivoli DOT com
Date: Thu, 13 Jan 2000 11:54:13 -0500 

Grigoris -

What kind of help are you looking for?  It seems to me that these would be
fairly simple rulesets to write.  Have you read the Admin Guide about Rulesets?
Tried any others?   You might want to obtain the old redbook, SG24-4515-00
Examples Using NetView for AIX Version 4, which has a whole section on sample
rulesets.  It is a good place to start.  But here are my suggestions.

Case 1
-    I want to correlate the Interface up/down and Node up/down event to one
Node up/down event provided they came from the same node and are       not
separated by more than 30 sec.

I would do it like this:

>From the initial event stream, Set to Block, you add a Trap Settings node for
Node Down, 58916865 .  Also from the initial event stream you will add a Trap
Settings for Node Up, 58916864.   Now add a Reset-On-Match.  The match condition
is Attribute 2 (which for NetView traps is always the hostname  that the trap is
about) and the time setting is 30 seconds (I think this is way too small  by the
way).  Now connect the Node Down Trap Setting to the Reset as Slot 1 and the
Node UP as Slot 2.  And finally add a Forward connected to the Reset.  This
ruleset by itself will handle the Node down / Node up case, and I would suggest
you try it before proceeding to make sure it does what you want.

To deal with the Interface Down / Up situation, I would copy the preceding
ruleset and modify the copy.  You add to it two more Trap Settings nodes,
connected to the Initial Event Stream, with one being for Interface Down and the
other for Interface Up.  Then you add a Reset-on-Match as you did before only
now you are going to match on multiple conditions, Attribute 2 (the hostname)
and Attribute 3.2  (this means the second word of  the third attribute and gives
the name of the interface).  Set the time again to 30 seconds (a couple of
minutes would be better and  more realistic). and then connect the Interface
Down to Slot 1 of the Reset, and Interface Up to Slot 2.  Then connect the Reset
to the Forward which is already there.

When you run this ruleset in a workspace you will see only those Interface Down
and Node Down events which were not matched. The matched ones will not show up.

Case 2:

-    All events are coming from the same node with the same specific more than
20 times within 1 min. have to be forwarded only one time.

After you have finished with Case 1, this should be easy.   From the Initial
Event Stream, set to Block, connect a Threshold block and set it to a Type of
First and a Count of 20.  Set the time period to 1 minute and click the
Threshold by Attribute #1 box. For the Attribute Selection, select Attribute 2
to get the hostname.  Click "OK " to get out of the dialog.  Then click the
Threshold by Attribute #2 box. For the Attribute Selection, select Specific  to
get the specific trap number.  Click "OK " to get out of the dialog. Now add a
forward node and connect it to the Threshold node and you are done.


IMPORTANT:  Now that I have helped you with these I have some real concerns
about what you are trying to do.  Real Node Down / Node Up  and Interface
Down/Interface Up events do not occur for the same Node or Interface within 30
seconds under normal conditions.  They only occur when a netmon detects a status
change and the default polling cycle is every 5 minutes.  So usually, you would
not see the these traps come in back to back like that, unless your polling
cycle has been changed or your ping time-outs are too short.  In that case you
should amend your polling parms using xnmsnmpconf to fix them, rather than to
mask the problem with a ruleset.  Do you follow me here?

I have a similar concern for the second ruleset.  netmon  will never send the
same trap for the same node 20 times in one minute, so the only use this could
be for is to suppress traps from the display from agent devices, such as
routers, which are sending too many traps to NetView.  These should be stopped
at the source, because you can flood trapd and prevent NetView from working
correctly if your routers are sending the same trap too many times and too
frequently.  Reconfigure the routers to not send traps you don't care to see and
to send the ones you do want only once.  Then you won't need a ruleset like Case
2.

Hope this helps

James Shanks
Tivoli (NetView for UNIX) L3 Support



Grigoris Karakatsoulis <grigoris.karakatsoulis AT SYSTEMATICS DOT DE> on 
01/13/2000
10:46:14 AM

Please respond to Discussion of IBM NetView and POLYCENTER Manager on NetView
      <NV-L AT UCSBVM.UCSB DOT EDU>

To:   NV-L AT UCSBVM.UCSB DOT EDU
cc:    (bcc: James Shanks/Tivoli Systems)
Subject:  Rulesets + Correlation !!




Von:  Grigoris Karakatsoulis@SYSTEMATICS am 13.01.2000 16:46


An:   nv-l AT ucsbvm.ucsb DOT edu
Kopie:
Thema:    Rulesets + Correlation !!

hallo everybody !

i need help for this correlations:

-    I want to correlate the Interface up/down and Node up/down event to one
Node up/down event provided they came from the same node and are       not
separated by more than 30 sec.


-    All events are coming from the same node with the same specific more than
20 times within 1 min. have to be forwarded only one time.



Thanks

Grigoris Karakatsoulis

Systematics INTEGRATIONS GmbH
Barmbeker Stra
ße 2
22303 Hamburg

Telefon:  +49 (040) 6960 - 2258
Fax:      +49 (040) 6960 - 3258
Mobil:    +49 (0172) 4383067
e-Mail:   grigoris.karakatsoulis AT systematics DOT de
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: snmpv2mib snmpv2mib.bin and trapd.conf, James Shanks
Next by Date:  multi-demantional hash, Patricio M. Rueda
Previous by Thread:  Rulesets + Correlation !!, Grigoris Karakatsoulis
Next by Thread:  multi-demantional hash, Patricio M. Rueda
Indexes:  [Date] [Thread] [Top] [All Lists]