headers
James Zuelow | 1 Dec 2009 02:34
Picon

How to make a "not" match for event vbnumber

I am sending Microsoft Server 2008SP2/2008R2 logon events to OpenNMS via evntwin traps.  They turn event
4624 into traps.

Server 2008SP2 typically sends two traps per user login, one with the SID and one with the SID set to all zeroes.

I don't want double notifications, so I can filter on the event that arrives with the SID zeroed out like this:

 <varbind>
    <vbnumber>18</vbnumber>
    <vbvalue>{00000000-0000-0000-0000-000000000000}</vbvalue>
 </varbind>

However, 2008R2 does NOT send two events.  So if I use the above filter I won't get any notifications from
2008R2 boxes.

Is there a syntax to turn the above varbind into a not match?

Googling for "xml not syntax" isn't helpful -- the word not is used in too many specifications.  :(

James Zuelow
Network Specialist
City and Borough of Juneau MIS (907)586-0236
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ
(Continue reading)

Permalink | Reply | 2 comments |
headers
omar.crea | 1 Dec 2009 10:24
Picon

Re: Alarm based on a trap variable

Why are you using varbind "5"? 
From the trap you posted, I see four varbinds only, and 
it seems that the first one may have your attention.

And you should insert a "~cancelado" to correctly match 
the example string you posted, because "cancelado%" only 
match if the word is at the beginning of the string.

See http://www.opennms.org/wiki/Event_Configuration_How-To 
for details.

Regards.

On Mon, 30 Nov 2009 08:47:32 -0800 (PST), ofullana
<ofullana <at> central.aplitec.com> wrote:
> Hi Austin
> 
> Thanks for your help. I've been playing a little with varbinds, with no
> luck. My first question is "how can I know what vbnumber to use?" Here is
> the unformatted event:
> 
> .1.3.6.1.4.1.1302.3.3.5="El usuario cancel� una operaci�n de punto de
> recuperaci�n en la unidad Copia de seguridad de unidad de SISTEMA
> (C:\).Se
> ha cancelado el trabajo en curso.El usuario ha cancelado la operaci�n."
> .1.3.6.1.4.1.1302.3.3.1="LUCILE" .1.3.6.1.4.1.1302.3.3.2="Backup Exec
> System
> Recovery" .1.3.6.1.6.3.1.1.4.3.0=".1.3.6.1.4.1.1302.3.1.4.4.2"
> 
> I see three varbinds. The first one is called "messagetext" and want to
(Continue reading)

Permalink | Reply | 10 comments |
headers
omar.crea | 1 Dec 2009 10:38
Picon

Re: How to make a "not" match for event vbnumber

You can use two different configuration: 
- the first configuration is your current one, matching varbind 
18. Set this trap to "logonly" if you won't to see it.
- the second configuration is without the 18th varbind, so 
it can match all the other traps of this type. Set its logmsg 
to "logndisplay".

Pay attention to include the above configurations using 
the specified order (most specific match goes first).

Regards.

On Mon, 30 Nov 2009 16:34:39 -0900, James Zuelow
<James_Zuelow <at> ci.juneau.ak.us> wrote:
> I am sending Microsoft Server 2008SP2/2008R2 logon events to OpenNMS via
> evntwin traps.  They turn event 4624 into traps.
> 
> Server 2008SP2 typically sends two traps per user login, one with the SID
> and one with the SID set to all zeroes.
> 
> I don't want double notifications, so I can filter on the event that
> arrives with the SID zeroed out like this:
> 
>  <varbind>
>     <vbnumber>18</vbnumber>
>     <vbvalue>{00000000-0000-0000-0000-000000000000}</vbvalue>
>  </varbind>
> 
> However, 2008R2 does NOT send two events.  So if I use the above filter I
> won't get any notifications from 2008R2 boxes.
(Continue reading)

Permalink | Reply | 1 comment |
headers
omar.crea | 1 Dec 2009 10:49
Picon

Re: sending 'custom' events, eui not found

Hi Austin, 
I'm using the 1.6.x version of OpenNMS, so I don't 
know if this will work for you, but the best way to 
debug this kind of problem is to monitor the trapd.log 
and eventd.log log files (enable them in debug mode first): 
they will tell you the truth. :)

If this comment does not apply to the 1.7.7 version, excuse me. 

Have a nice day!

On Tue, 24 Nov 2009 22:47:25 -0800, Austin Schutz <tex <at> off.org> wrote:
> I've been working with send-event.pl (very handy!)
> 
> One issue which I've been having trouble with is my events show up as
> "An event with no matching configuration". I am trying to send
> 
> uei.opennms.org/standard/rancid/traps/rancidTrapDownloadFailure
> 
> events, which are clearly marked in etc/events/Rancid.events.xml, which 
> is clearly included in etc/eventconf.xml.
> 
> How would one go about debugging this?
> 
> I am using OpenNMS 1.7.7, installed via the jar file.
> 
> Thanks for looking!
> Austin
> 
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Michael Danko | 1 Dec 2009 11:04
Gravatar

categories.xml from example/demo

Can anyone post the categories.xml from the demo site, which is also the one used in
http://www.opennms.org/wiki/Configure_Main_Window_Categories ?

Trying to duplicate its behavior, but the parts I'd need to clone aren't available in the example. 

Thanks,

Mike
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss
Permalink | Reply | 1 comment |
headers
Dominik Klein | 1 Dec 2009 12:13

Auto-acknowledging events: What can I use in <match>?

Hi

the subject says it all. When configuring auto-acknowledge elements in
notifd configuration, where can I find a list of things i can put in the
<match> tags? I couldn't find examples or docs using more than
interfaceid, nodeid and (i think) serviceid.

Is it possible to e.g. match the ifName or ifIndex?

Thanks,
Dominik

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss
Permalink | Reply | 0 comments |
headers
ofullana | 1 Dec 2009 14:30
Gravatar

Re: Alarm based on a trap variable


Well, I'm a newbie... I wasn't sure if varbind numbers were assigned inside
the MIB file or simply match the order they are placed inside the trap. I
managed to get it working, but only if I told the event to match "El" form
the text "El usuario cancelo la ..." inside the messagetext varbind. If I
try to match a word conatined into de text (I tested "~cancelado",
"~cancel", "~[c-C]ancel") it isn't recognized. Do you know what I'm missing?
I need this because there are several error conditions: Backup job
cancelled, service stopped, backup job error, etc...

Thanks for your help.

Ofullana

omar.crea wrote:
> 
> Why are you using varbind "5"? 
> From the trap you posted, I see four varbinds only, and 
> it seems that the first one may have your attention.
> 
> And you should insert a "~cancelado" to correctly match 
> the example string you posted, because "cancelado%" only 
> match if the word is at the beginning of the string.
> 
> See http://www.opennms.org/wiki/Event_Configuration_How-To 
> for details.
> 
> Regards.
> 
> On Mon, 30 Nov 2009 08:47:32 -0800 (PST), ofullana
(Continue reading)

Permalink | Reply | 9 comments |
headers
Dominik Klein | 1 Dec 2009 15:20

data-collect number of entries with a certain value in an snmp table?

Hi

I'd like to monitor the number of connections to a specific port on a node.

I can query this information from net-snmp using
snmpwalk on .1.3.6.1.2.1.6.13.1.1.10.2.50.24.3306 (ie tcpconnstate for
ip 10.2.50.24 and port 3306).

Is it possible to define data-collection for the number of entries
within a table that have a certain value (like "5" for connection
established)?

Regards
Dominik

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss
(Continue reading)

Permalink | Reply | 4 comments |
headers
samuel.mutel | 1 Dec 2009 15:29
Picon
Favicon

Translator & ipaddr field

Hello,

I want to change the ipaddr field of an event with Event Translator.
So I put in the config this :

<event-translation-spec uei="uei.opennms.org/ose/nagios/external/nOseHostNotDownEvent">
      <mappings>
        <mapping>
          <assignment name="uei" type="field">
            <value type="constant" result="uei.opennms.org/ose/nagios/internal/nOseHostNotDownEvent" />
          </assignment>
          <assignment type="field" name="nodeid">
            <value type="sql" result="select node.nodeid from node where node.nodeLabel=? and node.nodeType !=
'D'" >
              <value type="parameter" name=".1.3.6.1.4.1.20006.1.1.1.2" matches=".*" result="${0}" />
            </value>
          </assignment>
          <assignment type="field" name="ipaddr">
            <value type="sql" result="select ipInterface.ipaddr from node, ipInterface where node.nodeLabel=?
and node.nodeId=ipinterface.nodeid and ipInterface.issnmpprimary = 'P' and ipInterface.isManaged
!= 'D' and node.nodeType != 'D'" >
              <value type="parameter" name=".1.3.6.1.4.1.20006.1.1.1.2" matches=".*" result="${0}" />
            </value>
          </assignment>
        </mapping>
      </mappings>
    </event-translation-spec>

I have this error in translator.log :
(Continue reading)

Permalink | Reply | 0 comments |
headers
omar.crea | 1 Dec 2009 15:48
Picon

Re: Alarm based on a trap variable

Trap varbinds are positional, so you will always find 
".1.3.6.1.4.1.1302.3.3.5" as the first varbind, and so on 
(see your MIBs for this). Obviously, if you simulate the 
traps, you must place varbinds in the same order for your 
event configuration to work.

To entirelly test your case, you can place more than one 
configuration for the same trap (each with different varbind 
decode, of course). For example:

1. "~cancelado"
2. "[cC]ancel"
3. (others)
4. general case, without varbind decode

This way your trap can "traverse" the various configurations, 
stepping to the general one if the varbind does not match.

If you still encounter issues, please control (and post, if 
necessary) a piece of your trapd.log file.

Regards.

On Tue, 1 Dec 2009 05:30:53 -0800 (PST), ofullana
<ofullana <at> central.aplitec.com> wrote:
> Well, I'm a newbie... I wasn't sure if varbind numbers were assigned
inside
> the MIB file or simply match the order they are placed inside the trap. I
> managed to get it working, but only if I told the event to match "El"
form
(Continue reading)

Permalink | Reply | 8 comments |

Gmane