nv-l

Re: [nv-l] Filter editor question

2005-09-13 12:38:19
Subject: Re: [nv-l] Filter editor question
From: James Shanks <jshanks AT us.ibm DOT com>
To: nv-l AT lists.us.ibm DOT com
Date: Tue, 13 Sep 2005 12:35:57 -0400
Let's try this again.

trapd.conf has two kinds of entries, one for the enterprise and one for
each specific trap, under that enterprise.
This is the enterprise entry:  rfFaxServer {1.3.6.1.4.1.3529.2.1}

The specific entry will be more elaborate and lower down in the file.  If
you use xnmtrap to examine the file, it will display all the specific
entries listed under the enterprise.   Because the trapd.log entry says
rfFaxServer 6 2 4 args: LGSD:Library already loaded.

I can tell that the format statement for this trap is something like this:

$E $G $S $# args: $<something>

The $E is the enterprise name, rfFaxServer, the $G is 6, the $S is 2, and
so on.
So you are looking for the format of the specific trap number 2 under this
enterprise.
And when you find it, it's format statement will tell you what variable in
the trap contains the message
"LGSD:Library already loaded."

If you are finding this exercise too difficult, then perhaps you should
call Support.  If you send them your trapd.conf, they will find the format
for you and help you write your script or ruleset or whatever you want.

James Shanks
Level 3 Support  for Tivoli NetView for UNIX and Windows
Tivoli Software / IBM Software Group


                                                                           
             Michael_Noonkesse                                             
             r AT bluecrossmn DOT com                                           
  
             Sent by:                                                   To 
             [email protected]         nv-l AT lists.us.ibm DOT com             
  
             us.ibm.com                                                 cc 
                                                                           
                                                                   Subject 
             09/13/2005 11:42          Re: [nv-l] Filter editor question   
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
                   nv-l                                                    
                                                                           
                                                                           





This is what is in trapd.conf.  rfFaxServer {1.3.6.1.4.1.3529.2.1}

Using the mib browser to try and locate the actual msg that is being
generated was not successful either. The msg that I am looking for is
generated by the app and does actually post to the Microsoft event log on
the host machine, but appears nowhere else except the trap itself.

Beacause the events come out with the same generic and specific trap ids I
want to match the message and then just block them from being processed.

Entire event to Netview Control Desk

Tue Sep 13 08:15:28 2005 pmsrfax1.bcbsmn A rfFaxServer 6 2 4 args:
LGSD:Library already loaded.

SPECIFIC   : 2 (hex: 2)
GENERIC    : 6
CATEGORY   : Status Events
ENTERPRISE : rfFaxServer  1.3.6.1.4.1.3529.2.1
SOURCE     : Agent (A)
HOSTNAME   : server.domain.com
SEVERITY   : Minor
LOGGEDTIME : 0

The specifcs I want to match on are everything after the last colon (:) in
the msg "  LGSD:Library already loaded."

This changes per alert but the specific 2 and generic 6 do not. The vendor
is no help and I'm stuck

Thanks for any help you can provide.


Regards,

Mike Noonkesser
Office 651-662-1012
Fax    651-662-2279



James Shanks <jshanks AT us.ibm DOT com>
Sent by: owner-nv-l AT lists.us.ibm DOT com
09/13/2005 09:31 AM
Please respond to
nv-l AT lists.us.ibm DOT com


To
nv-l AT lists.us.ibm DOT com
cc

Subject
Re: [nv-l] Filter editor question






So what trap variable contains the message?  trapd.conf will tell you.
And what do you want to do when you have a match?

A filter only alters the display of an event window.  A ruleset may have
an
action attached.  Presumably you could just use an Event Attribute node in
a ruleset to match the varbind number of the trap to the correct string
and
connect it to an Action, some script you write.  But a better ruleset
would
be Trap Settings for the correct enterprise first.

James Shanks
Level 3 Support  for Tivoli NetView for UNIX and Windows
Tivoli Software / IBM Software Group



             Michael_Noonkesse
             r AT bluecrossmn DOT com
             Sent by:                                                   To

             [email protected]         nv-l AT lists.us.ibm DOT com
             us.ibm.com                                                 cc


                                                                   Subject

             09/13/2005 10:22          [nv-l] Filter editor question
             AM


             Please respond to
                   nv-l







Hello List!

Running Netview 7.1.3 on Solaris 8

I am trying build a filter/ruleset that will match on criteria specified
in the message field of the trap.

Tue Sep 13 08:15:28 2005 server_name.domain.com  A rfFaxServer 6 2 4 args:
LGSD:Library already loaded.

The last portion of the line above is what I need to match because the
software vendor has most of their traps with the same specific and generic
trap ids for numerous meaningful traps with the same severity(no idea why)
The message is the only thing that is specific to the different traps
being generated.



Or if anyone has done a fine job monitoring Captaris Rightfax please share
!

Regards,

Mike Noonkesser

----------------------------
Important news about email communications:

If our business rules identify sensitive information, you will receive a
ZixMail Secure Message with a link to view your message. First-time
recipients will be asked to create a password before they are granted
access. To learn more about ZixMail, ZixCorp Secure Email Message Center,
and other ZixCorp offerings, please go to
http://userawareness.zixcorp.com/secure4/index.php
----------------------------

The information contained in this communication may be confidential,
and is intended only for the use of the recipient(s) named above.
If the reader of this message is not the intended recipient, you
are hereby notified that any dissemination, distribution, or
copying of this communication, or any of its contents, is strictly
prohibited. If you have received this communication in error,
please return it to the sender immediately and delete the original
message and any copy of it from your computer system. If you have
any questions concerning this message, please contact the sender.

Unencrypted, unauthenticated Internet e-mail is inherently insecure.
Internet messages may be corrupted or incomplete, or may incorrectly
identify the sender.





----------------------------
Important news about email communications:

If our business rules identify sensitive information, you will receive a
ZixMail Secure Message with a link to view your message. First-time
recipients will be asked to create a password before they are granted
access. To learn more about ZixMail, ZixCorp Secure Email Message Center,
and other ZixCorp offerings, please go to
http://userawareness.zixcorp.com/secure4/index.php
----------------------------

The information contained in this communication may be confidential,
and is intended only for the use of the recipient(s) named above.
If the reader of this message is not the intended recipient, you
are hereby notified that any dissemination, distribution, or
copying of this communication, or any of its contents, is strictly
prohibited. If you have received this communication in error,
please return it to the sender immediately and delete the original
message and any copy of it from your computer system. If you have
any questions concerning this message, please contact the sender.

Unencrypted, unauthenticated Internet e-mail is inherently insecure.
Internet messages may be corrupted or incomplete, or may incorrectly
identify the sender.



<Prev in Thread] Current Thread [Next in Thread>