Systems Management (OpenView-OP Mgmt) Practitioners Forum
cancel

Pattern Matching in OM

ramesh9
Acclaimed Contributor.

Pattern Matching in OM

OMU 9.x with OVO agent 11.x on HP Unix servers

 

I receive SNMP trap from NNM server and I need to pattern match for setting severity of the message.

 

The severity which I am interested is Critical, Major and Minor and Normal.

 

The message which I am trying to pattern match is,

 

1.3.6.1.4.1.11.2.17.19.2.2.20 (OctetString): .1.3.6.1.4.1.18568.2.1.1.2.2.1.13=22,.1.3.6.1.4.1.18568.2.1.1.2.8.1.1=23,.1.3.6.1.4.1.18568.2.1.1.3.1.3.1.2.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.2.4294967295.132192.4.2=1,.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.3=2,.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.4=3,.1.3.6.1.4.1.11.2.17.2.2.0=94.56.246.102,cia.snmpoid=.1.3.6.1.4.1.18568.2.1.1.5.0.6,cia.address=94.56.246.102,cia.originaladdress=127.0.0.1,cia.tenant.name=SAN,cia.tenant.uuid=d5e94736-2269-4117-8d32-e4270103da87,cia.securityGroup.name=SAN,cia.securityGroup.uuid=6ed47082-925d-4e83-adf4-c4f94d3b3775

 

The pattern which I had developed is for capturing Critical and Major message is,

 

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=<[1|2]>,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$

 

and for Minor message is,

 

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=<[3]>,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$

 

and for Normal message is,

 

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=<[5]>,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$

 

The severity is indicated by 3rd variable in the message.

 

When I apply pattern match for each severity in seperate conditions in SNMP policy in following order,

 

Normal

Critical | Major

Minor

 

I am seeing Normal, Critical, Major works.

 

When Minor severity message arrives I am getting Critical or Major severity alert and I am seeing the condition for Critical | Major is executed.

 

I tried to change the order in snmp trap policy but end-result is same.

 

Is the pattern matching I am trying to do is fine or are there better alternatives.

 

Please help.

5 REPLIES
m_vidyasagar
Acclaimed Contributor.

Re: Pattern Matching in OM

Try the below for Minor message :

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=3,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$
- Vidyasagar Machani -

Tell me and I forget. Teach me and I remember. Involve me and I learn. -- Benjamin Franklin
ramesh9
Acclaimed Contributor.

Re: Pattern Matching in OM

Hello Vidyasagar

 

I had allready tried this and it did not work.

 

In my SNMP policy the order in which condition for each severity is,

 

Critical

Normal

Minor

 

When I set the pattern matching you had specified in Minor condition, it is not been captured by Minor condition.

Instead the message is captured by Critical condition and raises a Critical alarm.

Highlighted
m_vidyasagar
Acclaimed Contributor.

Re: Pattern Matching in OM

Hi Ramesh,

I see strange behaviour with the pattern matching.

I tried testing the same using the log file policy and I say that only the first rule is matching.

Check out the below snapshot ( Same has been attached as well ).

As per your Trap , var2 should always match .1.3.6.1.4.1.18568.2.1.1.3.1.3.1.2.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.2.4294967295.132192.4.2

If var2 matches correctly then the proper alert is triggered if not it triggers the improper alert ( say, instead of Minor it triggers Critical\Major ) in those cases var2 variable is showing as .1.3.6.1.4.1.18568.2.1.1.3.1.3.1.2.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.2.4294967295.132192.4.2=3

Just looking, if there are any other ways to get through this.
- Vidyasagar Machani -

Tell me and I forget. Teach me and I remember. Involve me and I learn. -- Benjamin Franklin
m_vidyasagar
Acclaimed Contributor.

Re: Pattern Matching in OM

Hi Ramesh,

Fedup with internet policies. I have sent you the image in private chat. please check.
- Vidyasagar Machani -

Tell me and I forget. Teach me and I remember. Involve me and I learn. -- Benjamin Franklin
ramesh9
Acclaimed Contributor.

Re: Pattern Matching in OM

Hello Vidyasagar

 

Thanks for your help, allthough did not get your image in private message, might have been blocked.

 

I checked again and I am seeing if following varbind,

 

.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.3

 

has value 2

 

then the sub-pattern,

 

<*.var2>=[1|2]

 

is getting matched.

 

If .1.3.6.1.4.1.18568.2.1.1.3.1.18.1.3 has value other than 2, then the sub-pattern 

 

<*.var2>=[1|2]

 

is not getting matched.

 

Now looking for further options to enhance.

 

If you have any inputs please share.