How to suppress process down alarms using Condition Correlation Editor

Document ID : KB000029475
Last Modified Date : 14/02/2018
Show Technical Document Details

This solution will resolve the following customer requirement.

Requirement:

If you have two processes, Process 1 (notepad in this example) and Process2 (firefox is this example) running on a server, event 0x2390000e is generated when these processes go down.

A requirement may be that when notepad goes down you need a process down alarm and when this is followed by the Firefox down immediately both the process down alarms should be suppressed and a single alarm should trigger on the correlation domain. 

In case you receive a process down alarm for other processes on the same server , generate the process down alarms without any correlation.

 

Solution:

1. 2390000e --> Set event for process down

2. 23900007 -> Clear event for process down

3. Logon to Oneclick -> Tools -> Utilities -> Event configuration editor and filter for 2390000e event.Now remove the default critical alarm 23900003 from this event and map the severity to None.

4. Create 3 new events from event configuration editor with the same event message as 2390000e event and map the alarm code 23900003 to all these 3 events

     Assume fff00002 ---> Triggers when Notepad process goes down

                 fff00003   ---> Triggers when Firefox process goes down

                fff00001    ---> Triggers when any other process goes down on the same server apart from the above 2 process

 

5. Create one more new event from ECE in Oneclick which will be used for the correlation alarm say event code 0xfff00021 and alarm code as 0xfff00021. Configure a custom event message as per your requirement.

6. Created the below event condition rule on 2390000e event from Oneclick Event configuration editor

        -   If 2390000e exists and varbind 3 contains notepad generate fff00002 event

with a minor alarm. 

       -   If 2390000e exists and varbind 3 contains firefox process generate fff00003

event with a minor alarm.

       -  If 2390000e exists and varbind 3 contains a value other than notepad or

firefox, generate fff00001 event with a minor alarm. 

Save the changes in the editor.

EventRule.bmp

 

7. Configure the below CCE entries from Oneclick condition correlation editor

     Condition:

             Condition 1 with set event as fff00002 and clear event as 23900007

             Condition 2 with set event as fff00003 and clear event as 23900007

             Condition 3 with set event as fff00021 and clear event as 23900007

   Add the model name attribute parameter to condition 1 and 2

   Rule:

 

Symptom condition:

Condition 1 and 2

Relationship:

Implied cause

Root cause:

Condition 3

Target: correlation domain

Rule criteria:

Condition 1 . <parameter name>  equal to condition 2.<parameter name> --> As both Condition 1 and Condition 2 events should trigger on same model in a sequence

Policy:

Create a new policy and map the above rule to this policy

Domain:

Map a new domain to policy and add the required models into the domain.

In the below screeshot ProcessDown is Condition 1 , ProcessDown1 is condition 2 and Processdown2 is correlation condition which is condition 3.

 

CCE.bmp

Outcome:

1. If notepad process goes down, fff00002 event is generated

2. If firefox goes down, generate fff00003 event

3. If both are down, Correlation comes into picture and generates fff00021 event on the correlation domain model and suppress the above alarms from step 1 and 2

4. If other processes goes down on this server, fff00001 event is generated with an alarm