Customising Events and Mapping Traps in CA Spectrum

Document ID : KB000009419
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Sometimes, a trap comes in from a managed device that results in a message starting with;

"Unknown alert from device...."

The reason for this is that the Trap OIDs are not certified in Spectrum and require a customised mapping to be done for Spectrum to understand them. 

Consequently, no alarm is generated and the trap simply remains as an event. To fix this situation, what you can do is create a customised event, which raises an alarm for these traps.

Background:

While Spectrum has many thousands of devices and their associated traps certified, the multitude of vendors and devices means that there will always be either new or less popular ones that are uncertified. In order to be able to understand the traps and events raised by these devices when they're discovered, Spectrum needs to have customisation implemented whereby the traps are mapped to events and attributes of the discovered yet uncertified models receiving them.

Environment:
Spectrum 10.x
Instructions:

To create a custom trap/event mapping, you can do the following:

  1. Under the Tools menu in Spectrum OneClick, go to Utilities and select Event Configuration. 

  2. When Event Configuration appears, click on the 'Create New Event' icon. 

  3. Leave the Event code as is but note it down (you will need this later). Type the appropriate message you would like to see raised by this alarm (such as 'My Test Alarm' for example). Then click on OK. 

  4. The new event will appear at the end of the events list on the left hand side navigation pane and will be described as New and Custom. 

  5. In the Right hand pane, under details, select the Alarms tab. Then select the appropriate severity you would like for this alarm. 

  6. Next, type in the Alarm title you would like to see. 

  7. Now, under Event message at the top of the Right hand pane, you will need to define the trap message. This is where the varbinds come into it. Looking at the Events list, if we find an unknown alert (and thus unmapped and non-certified for the trap), then we can obtain the trap type OID and varbinds from it. For example: 

    Unknown alert received from device MYSERVER2 of type Host_Device. Device Time 2+22:44:01. (Trap type 1.3.6.1.4.1.8962.5.0.6.2) 
    Trap var bind data: 
    OID: 1.3.6.1.4.1.8962.5.2.1.1.0 Value: MYSERVER2 
    OID: 1.3.6.1.4.1.8962.5.2.1.2.0 Value: /My Company 
    OID: 1.3.6.1.4.1.8962.5.2.1.18.0 Value: 1 
    OID: 1.3.6.1.4.1.8962.5.2.1.19.0 Value: 7 
    OID: 1.3.6.1.4.1.8962.5.2.1.13.0 Value: 111 
    OID: 1.3.6.1.4.1.8962.5.2.1.14.0 Value: code-execution 
    OID: 1.3.6.1.4.1.8962.5.2.1.15.0 Value: signature 
    OID: 1.3.6.1.4.1.8962.5.2.1.16.0 Value: 200 
    OID: 1.3.6.1.4.1.8962.5.2.1.17.0 Value: 1 
    OID: 1.3.6.1.4.1.8962.5.2.1.6.0 Value: 1 
    OID: 1.3.6.1.4.1.8962.5.2.1.20.0 Value: 0 
    OID: 1.3.6.1.4.1.8962.5.2.1.21.0 Value: 0 
    OID: 1.3.6.1.4.1.8962.5.2.1.22.0 Value: 689438320872934406 
    OID: 1.3.6.1.4.1.8962.5.2.1.4.0 Value: HTTP: Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability VI 
    OID: 1.3.6.1.4.1.8962.5.2.1.5.0 Value: 7.DB.A.A.16.37.36.0.2B.0.0 
    OID: 1.3.6.1.4.1.8962.5.2.1.8.0 Value: SERVERs 
    OID: 1.3.6.1.4.1.8962.5.2.1.9.0 Value: 1 
    OID: 1.3.6.1.4.1.8962.5.2.1.10.0 Value: 6 
    OID: 1.3.6.1.4.1.8962.5.2.1.11.0 Value: http 
    OID: 1.3.6.1.4.1.8962.5.2.2.1.0 Value: tcp 
    OID: 1.3.6.1.4.1.8962.5.2.2.2.0 Value: 192.168.144.2 
    OID: 1.3.6.1.4.1.8962.5.2.2.3.0 Value: 192.168.144.1 
    OID: 1.3.6.1.4.1.8962.5.2.2.4.0 Value: 80 
    OID: 1.3.6.1.4.1.8962.5.2.2.5.0 Value: 49152 
    OID: 1.3.6.1.4.1.8962.5.2.3.1.0 Value: ie-x 
    OID: 1.3.6.1.4.1.8962.5.2.3.5.0 Value: No Others

    From this, you can specify the Event message as follows;

    My Test Alarm 
    Variable1 = {S 1} 
    Variable2 = {S 2} 
    Variable3 = {I 3} 
    etc..

    What the above is doing is mapping the variables of the message to the varbinds in the trap. The characters in curly brackets are place holders that will be replaced with variable binding values. Thus Variable1 in the event is a string (S) and is referring to event variable 1. We will see below in AlertMap configuration that we associate event variable 1 to the first varbind (1.3.6.1.4.1.8962.5.2.1.1.0) whose value will be 'MYSERVER2'.

    The Variable2 in your event message will also be a string and will be associated to the 2nd varbind (1.3.6.1.4.1.8962.5.2.1.2.0) in below AlertMap configuration, whose value will be '/My Company'.

    The Variable3 in your message will be an integer (I) and will be associated to the 3rd varbind (1.3.6.1.4.1.8962.5.2.1.18.0) in below AlertMap configuration, whose value is 1.

    And so forth.

  8. After doing the above, you will then need to create an alert map file (filename = AlertMap) located in the $SPECROOT/Custom/Events directory. This is simply a text file (without a .txt extension though) that will contain the mappings described in step 7 above. If the AlertMap file already exists you just need to append new alert mapping configuration into this file. In your case, for the first 3 variables detailed above, the AlertMap file would be;

    1.3.6.1.4.1.8962.5.0.6.2 0xfff00000 1.3.6.1.4.1.8962.5.2.1.1(1,0)\ 
    1.3.6.1.4.1.8962.5.2.1.2(2,0)\ 
    1.3.6.1.4.1.8962.5.2.1.18(3,0)

    The first line contains the trap type OID from the trap (1.3.6.1.4.1.8962.5.0.6.2) followed by the event code that was generated in step 2 above. Then what follows is the OID of the first varbind (minus the trailing 0, i.e. OID instance, of course) with the variable number and the 0 (this is the variable which will contain the OID table row number, i.e. OID instance. 0 means we don't keep the OID instance data) in the brackets. Place a backslash after this and continue on each line as per the example. Important!: there is no space between the OID and the opening bracket.

  9. Once the Event Configuration has been saved, you need to go to the VNM model and under its Component Detail view, expand the SpectroSERVER control section and click on "Update Event Configuration". This will load the new, customised event you have created.
Additional Information:

Working with Events and Alarms