Why do some traps not alarm in Spectrum?

Document ID : KB000012934
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

I am trying to monitor a shared partition with Spectrum.  We set up self monitoring on the sysEdge agent using autowatch via SysEdge.cf but the traps are not alarming in Spectrum.

autowatch -index=68 -name=cdrive -watchtype=generic -table=devTableEntry -attribute=devCapacity -interval=60 -criteria='.*' -op=ge -value=15 -severity=critical -desc=cdrive -objclass=FileSystem -objattr=PercentUsed -monflags=0x0 

In the example above the value is 15 which forces a trap, but in real life the value would be higher.

Question:

How do I make my sysEdge autoWatch traps alarm in Spectrum?

Environment:
system edge agent (v12.8.2)?Spectrum supported versions
Answer:

1. We first must verify that the Spectrum Server is receiving the traps being sent by SysEDGE Agent.

 This can be done via a sniffer trace - we recommend the Wireshark application.  If we are not receiving communication from the sysEdge ip on port 162, then Spectrum is not going to receive a trap.  If not then the SysEdge.cf in tmp to verify if the trap_community public i.p. 162 is configured.

Please note it must be set to port 162 or Spectrum see it.

2. Is the customer seeing "Unknown alert received" events asserted on the Host_systemEDGE model?

If so then the trap is arriving, but the trap is not supported out of the box and has not been mapped in Spectrum.  We will need to use the trap information, to create custom mappings in Spectrum, to make the trap alarm.

e.g. unknown trap from sysedge agent arrives to Spectrum as follows: 

enterprise: 1.3.6.1.4.1.546.1.1 (iso.3.6.1.4.1.546.1.1) 

generic-trap: enterpriseSpecific (6) 

specific-trap: 21 

variable bindings for this trap: 

Object Name: 1.3.6.1.4.1.546.17.1.1.1.7 (iso.3.6.1.4.1.546.17.1.1.1.7) 

Object Name: 1.3.6.1.4.1.546.17.1.1.2.7 (iso.3.6.1.4.1.546.17.1.1.2.7) 

Object Name: 1.3.6.1.4.1.546.17.1.1.3.7 (iso.3.6.1.4.1.546.17.1.1.3.7) 

Object Name: 1.3.6.1.4.1.546.17.1.1.4.7 (iso.3.6.1.4.1.546.17.1.1.4.7) 

 

A grep in the CsVendor folder, shows no results for this trap 1.3.6.1.4.1.546.1.1.6.21. or the variable bindings so we need to create a custom alert map entry at

<$SPECROOT>\custom\Events\AlertMap in the following format 

and a custom event to alarm - <0x000fffxxx>

# trap name 

1.3.6.1.4.1.546.1.1.6.21 0x000fffxxx 1.3.6.1.4.1.546.17.1.1.1.7(1,2) \ 

1.3.6.1.4.1.546.17.1.1.2.7(2,3) \ 

1.3.6.1.4.1.546.17.1.1.3.7(14,0) \ 

1.3.6.1.4.1.546.17.1.1.4.7(18,5) 

This is an example of a customized trap and its varbind mappings.

 

Additional Information:

For more information on customization traps, please see:

https://docops.ca.com/ca-spectrum/10-1-and-10-1-1/en/managing-network/event-configuration/alertmap-files#AlertMapFiles-AlertMapFileSyntax 

Please note that customized alarms will not be troubleshot by CA support, as they are customized and are not part of the supported "out of the box" product.