Administer > Policies > SNMP Interceptor Policies > SNMP Policy User Interface > Configuring Event Defaults in SNMP Trap Policies

Configuring Event Defaults in SNMP Trap Policies

The Default Event Attributes page enables you to indicate default settings for all events generated by the policy.

These defaults affect all new and existing rules. You can override the defaults in individual rules if needed. If a rule contains empty event attributes, the agent will use the defaults for the new event.

To access

In the Operations Connector user interface, click Create in the toolbar, then click Event > SNMP SNMP Interceptor. The SNMP Trap Policy editor opens. 

Alternatively, double-click an existing SNMP trap policy to edit it.

Click Defaults to open the Default Event Attributes page.

Tasks

Configure events for SNMP trap policies

This task describes how to configure default settings for all events generated by the policy.

  1. Click Event Attributes to define default event attributes, such as severity and category.

    After loading the indicators from the connected OMi server, the Indicators tab shows a hierarchy of configuration item types.

    To insert an indicator, drag the indicator with its state from the Indicators tab to the policy.

  2. Click Event Correlation to specify the Event Key and Close Events with Key. Additionally you can suppress deduplication on server by selecting the available check box.

  3. Click Advanced to define default advanced attributes such as legacy HPOM attributes and agent ClosedMSI (Message Stream Interface) settings.

  4. Optional. Use the Indicators tab to add indicators to the source or target value fields. After loading the indicators from the connected OMi server, the Indicators tab shows a hierarchy of configuration item types with the associated health indicators (HIs) and event type indicators (ETIs).

  5. Optional. In the Policy Variables tab, add policy variables to event attributes. Operations Connector replaces the variables with the appropriate values in the generated event.

    Use quotation marks to surround variables, for example "<$MSG_NODE>" or "<$MSG_GEN_NODE>", at least for those variables whose values can contain space characters.

Related tasks

UI Descriptions

Event Attributes Tab

UI Element

Description

Severity

Severity assigned to the event (Critical, Major, Minor, Warning, Normal, Unknown).

Category

Name of the logical group to which the event belongs (for example, Database, Security, or Network). The event category is similar in concept to the Operations Manager message group.

Event Correlation Tab

UI Element

Description

Event Key An identifier used to identify duplicates and for Close Events with Key.
Event Suppression
Enable Event Suppression

Enables event suppression for the events generated by this policy.

If event suppression is enabled in the event defaults, you can choose to apply them to or override them for this rule:

Use default settings for Event Suppression. Applies the event suppression settings configured in the event defaults to this rule.

Override default settings for Event Suppression: Enables you to configure specific event suppression settings for this policy rule.

Suppress events which are
  • Generated by the same input event. Select this option to suppress events that were sent in response to two separate input events that are identical except for the date and time that the event was generated (for example, identical entries in a log file).

  • Generated by the same rule. Select this option to suppress events that match the pattern specified for the selected rule. This is a more general setting for the suppression of duplicate events. For example, a policy might contain a rule with this match pattern: Error Message<#> The log file lines Error Message10 and Error Message20 are not identical, but would both match this rule.

  • Identical relative to their attributes. Select this option to suppress either events that have the same event key or (if no event key is present) events that have identical event attributes (except for the date and time that the event was generated).

Suppression Method

For event correlation, you can define one of three correlation methods:

  • Time Interval. This correlation method lets you define an interval during which duplicate events will be ignored. For more information, read this detailed example.

    Time interval correlation example

    In the illustration below, the interval is set to 30 seconds, but the suppression is limited to 60 seconds.

    The  represents events that are identical. 

    1. The first input event (E1) matches a rule in the policy.  The policy sends an event and starts timing. 
    2. A second matching event (E2) occurs 25 seconds later. This event occurred less than 30 seconds after the first event, and is therefore suppressed. 
    3. A third matching event (E3 )  occurs less than 30 seconds after the second event, and so is also suppressed. 
    4. The next matching event (E4) occurs less than thirty seconds after the third event, but is also more than 60 seconds after the first event, and therefore the policy sends an event.
  • Counter. This correlation method counts the number of matching input events and sends an event only after the number of matching input events equals the counter threshold. The counter can also be reset to zero after a time period that you specify. For more information, read this detailed example.

    Counter correlation example

     The  represent events that are identical. 

    1. The first input event (E1) matches a rule in the policy, and the counter increments to one.  No event is sent. 
    2. A second matching event (E2 ) occurs, the counter increments to two, an event is sent, and the counter resets.   
    3. A third matching event (E3 ), and the counter increments to one. No event is sent. 
    4. The next matching event (E4) occurs more than thirty seconds after the third event.  Since at thirty seconds the counter was reset to zero, the counter now increments to one. No event is sent.
  • Time Interval/Counter. If you use the Time interval and Counter together, events are evaluated first by the timer. If an event passes the timer, it is then evaluated by the counter, which either suppresses it or sends an event to OMi.

    If you specify just time interval correlation or just counter-based correlation in an individual event, any event defaults for the other correlation method also apply. For example, if you specify time interval correlation for an event, and the event defaults specify counter-based correlation, the combined time interval and counter-based correlation applies to both new rules and existing rules.

    You can change this default behavior, so that only the correlation method that you specify in the individual event applies. To change the default behavior, set the parameter OPC_IGNORE_DEFAULT_MSG_CORRELATION=TRUE in the eaagt namespace on the node. You can configure this parameter using ovconfchg at a command prompt.

Time Interval

Time interval during which duplicate events are ignored.

Suppress for no longer than

Time interval after which duplicate events are no longer ignored.

Counter threshold Value that triggers an event if met or crossed.
Reset counter threshold after

Time interval after which the counter is reset to 0.

Advanced Tab

UI Element

Description

OM Attributes
Application

Application that caused the event to occur. Unlike the Related CI attribute, which is a direct relationship to a CI in the RTSM, the application attribute is a simple string-type attribute (for example, Oracle and OS).

Object

Device such as a computer, printer, or modem. Unlike the Related CI attribute, which is a direct relationship to a CI in the RTSM, the object attribute is a simple string-type attribute (for example, C:, and /dev/spool).

HPOM Service ID

ID of the service associated with the event. A service ID is a unique identifier for a service and can be used in OMi to identify the node and CI associated with the event.

Agent MSI

The message stream interface (MSI) allows external applications to interact with the internal event flow of Operations Agent. The external application can be a read-write application, for example, an event processing program that can read events, modify attributes, and generate new events for retransmission to the server. The application could also read events, or send its own events.
Divert events If Agent MSI is enabled, diverts an event to the MSI instead of to the server when an event is requested by an external application.
Copy events If Agent MSI is enabled, sends the event to the server, and a copy of the event to the MSI.

Indicators Tab

UI Element

Description

Refresh. Loads the configured indicators from the connected OMi server.

  • Loading indicators from the OMi server may take a few seconds.

  • The Operations Connector server must be configured as an Operations Connector integration server in OMi for the indicators to load successfully.

<Search …>

Entered search string is used to search the indicators and highlight only the indicators containing the specified string.

To search for indicators with specific text strings in the name, type the string in the <Search …> field and click the button. The first matching indicator is selected in the list of rules. Click the and buttons to move to the previous and next matching indicator.

<Indicators>

Hierarchy of configuration item types with associated health indicators (HIs), which are applicable for the event integration only, and event type indicators (ETIs). To insert an indicator with a state in a policy, drag and drop the indicator from the Indicators tab to the relevant field in the policy.

Policy Variables Tab

Policy Variables Tab for Database and REST Web Service Listener Policies (Events only)

Variable Description
<$MSG_APPL> Returns the name of the application associated with the input event that caused the message. Sample output: /usr/bin/su(1) Switch User
<$MSG_GEN_NODE>

Returns the IP address of the node that sends the event. Sample output: 192.168.1.123.

<$MSG_GEN_NODE_NAME> Returns the host name of the node that sends the event. Sample output: node123.example.com.
<$MSG_GRP> Returns the default category of the event. Sample output: Security
<$MSG_ID> Returns the unique identity number of the event, as generated by the Operations Agent. Note that identity numbers are not generated for suppressed messages. Sample output: 6e998f80-a06b-71d0-012e-0f887a7c0000
<$MSG_NODE> Returns the IP address of the node on which the original event took place. Sample output: 192.168.1.123
<$MSG_NODE_NAME> Returns the name of the node on which the original event took place. This is the hostname that the agent resolves for the node. This variable is not fixed, however, and can be changed by a policy on a per-event basis. For example, if the policy is receiving SNMP traps that originate from other devices, you might want to set this variable to the name of the device where the trap originated.
<$MSG_SERVICE> Returns the service name associated with the event.
<$MSG_SEV> Returns the default value for the severity of the event. Sample output: Normal
<$MSG_TEXT> Returns the full text of the event. Sample output: SU 03/19 16:13 + ttyp7 bill-root
<$MSG_TIME_CREATED> Returns the time the message was created on the managed node in seconds elapsed since midnight (00:00:00), January 1, 1970, coordinated universal time. Sample output: 950008585
<$MSG_TYPE> Delivers the name set for message type.

Policy Variables Tab for XML File and Structured Log File Policies (Events only)

Variable Description
<$MSG_APPL> Returns the name of the application associated with the input event that caused the message. Sample output: /usr/bin/su(1) Switch User
<$MSG_GEN_NODE>

Returns the IP address of the node that sends the event. Sample output: 192.168.1.123.

<$MSG_GEN_NODE_NAME> Returns the host name of the node that sends the event. Sample output: node123.example.com.
<$MSG_GRP> Returns the default category of the event. Sample output: Security
<$MSG_ID> Returns the unique identity number of the event, as generated by the agent. Note that identity numbers are not generated for suppressed messages. Sample output: 6e998f80-a06b-71d0-012e-0f887a7c0000
<$MSG_NODE> Returns the IP address of the node on which the original event took place. Sample output: 192.168.1.123
<$MSG_NODE_NAME> Returns the name of the node on which the original event took place. This is the hostname that the agent resolves for the node. This variable is not fixed, however, and can be changed by a policy on a per-event basis. For example, if the policy is receiving SNMP traps that originate from other devices, you might want to set this variable to the name of the device where the trap originated.
<$MSG_SERVICE> Returns the service name associated with the event.
<$MSG_SEV> Returns the default value for the severity of the event. Sample output: Normal
<$MSG_TIME_CREATED> Returns the time the message was created on the managed node in seconds elapsed since midnight (00:00:00), January 1, 1970, coordinated universal time. Sample output: 950008585
<$MSG_TYPE> Delivers the name set for message type.

Policy Variables Tab for Open Message Interface, Scheduled Task, and SNMP Interceptor Policies (Events only)

Variable Description
<$#> (SNMP Only) Returns the number of variables in an enterprise-specific SNMP event (generic event 6 Enterprise specific ID). Sample output: 2
<$*> (SNMP Only) Returns all variables assigned to the event up to the possible fifteen. Sample output: [1] .1.1 (OctetString): arg1 [2] .1.2 (OctetString): turnip.example.com
<$@> (SNMP Only) Returns the time the event was received as the number of seconds since Jan 1, 1970 using the time_t representation. Sample output: 859479898
<$1> (SNMP Only) Returns one or more of the fifteen possible event parameters that are part of an SNMP event. (<$1> returns the first variable, <$2> returns the second variable, and so on.)
<$\>1> (SNMP Only) Returns all attributes greater than n as value strings, useful for printing a variable number of arguments. <$\>0> is equivalent to $* without sequence numbers, names, or types. Sample output: bokchoy.example.com
<$\>+1> (SNMP Only) Returns all attributes greater than n as name:value string. Sample output: .1.2: asparagus.example.com
<$+2> (SNMP Only) Returns the nth variable binding as name:value. Sample output: .1.2: artichoke.example.com
<$\>-n > (SNMP Only) Returns all attributes greater than n as [seq] name (type): value strings. Sample output: [2] .1.2 (OctetString): cauliflower.example.com
<$-2> (SNMP Only) Returns the nth variable binding as [seq] name-type:value. Sample output: [2] .1.2 (OctetString): brusselsprouts.example.com
<$A> (SNMP Only) Returns the node that produced the event. Sample output: eggplant.example.com
<$C> (SNMP Only) Returns the community of the event. Sample output: public
<$E> (SNMP Only) Returns the enterprise ID of the event. Sample output: .1.3.6.1.4.1.11.2.17.1
<$e> (SNMP Only) Returns the enterprise object ID. Sample output: .1.3.6.1.4.1.11.2.17.1
<$F> (SNMP Only) Returns the textual name of the remote postmaster daemon's computer if the event was forwarded. Sample output: cress.example.com
<$G> (SNMP Only) Returns the generic event ID. Sample output: 6
<$MSG_APPL> Returns the name of the application associated with the input event that caused the message. Sample output: /usr/bin/su(1) Switch User
<$MSG_GEN_NODE>

Returns the IP address of the node that sends the event. Sample output: 192.168.1.123.

<$MSG_GEN_NODE_NAME> Returns the host name of the node that sends the event. Sample output: node123.example.com.
<$MSG_GRP> Returns the default category of the event. Sample output: Security
<$MSG_ID> Returns the unique identity number of the event, as generated by the Operations Agent. Note that identity numbers are not generated for suppressed messages. Sample output: 6e998f80-a06b-71d0-012e-0f887a7c0000
<$MSG_NODE> Returns the IP address of the node on which the original event took place. Sample output: 192.168.1.123
<$MSG_NODE_NAME> Returns the name of the node on which the original event took place. This is the hostname that the agent resolves for the node. This variable is not fixed, however, and can be changed by a policy on a per-event basis. For example, if the policy is receiving SNMP traps that originate from other devices, you might want to set this variable to the name of the device where the trap originated.
<$MSG_SERVICE> Returns the service name associated with the event.
<$MSG_SEV> Returns the default value for the severity of the event. Sample output: Normal
<$MSG_TEXT> Returns the full text of the event. Sample output: SU 03/19 16:13 + ttyp7 bill-root
<$MSG_TIME_CREATED> Returns the time the message was created on the managed node in seconds elapsed since midnight (00:00:00), January 1, 1970, coordinated universal time. Sample output: 950008585
<$MSG_TYPE> Delivers the name set for message type.
<$N> (SNMP Only) Returns the event name (textual alias) of the event format specification used to format the event, as defined in the Event Configurator. Sample output: OV_Node_Down
<$O> (SNMP Only) Returns the name (object identifier) of the event. Sample output: .1.3.6.1.4.1.11.2.17.1.0.58916865
<$o> (SNMP Only) Returns the numeric object identifier of the event. Sample output: .1.3.6.1.4.1.11.2.17.1.0.58916865
<$R> (SNMP Only) Returns the true source of the event. This value is inferred through the transport mechanism which delivered the event. Sample output: carrot.example.com
<$r> (SNMP Only) Returns the implied source of the event. This may not be the true source of the event if the true source is proxying for another source, such as when an application running locally is reporting information about a remote node. Sample output: rutabaga.example.com
<$S> (SNMP Only) Returns the specific event ID. Sample output: 5891686
<$s> (SNMP Only) Returns the event's severity. Sample output: Normal
<$T> (SNMP Only) Returns the event time stamp. Sample output: 0
<$V> (SNMP Only) Returns the event type, based on the transport from which the event was received. Currently supported types are SNMPv1, SNMPv2, CMIP, GENERIC, and SNMPv2INFORM. Sample output: SNMPv1
<$X> (SNMP Only) Returns the time the event was received using the local time representation. Sample output: 17:24:58
<$x> (SNMP Only) Returns the date the event was received using the local date representation. Sample output: 03/27/10

Policy Variables Tab for All Policy Types (Metrics only)

Variable Description
<$MSG_GEN_NODE>

Returns the IP address of the node that sends the event. Sample output: 192.168.1.123.

<$MSG_GEN_NODE_NAME> Returns the host name of the node that sends the event. Sample output: node123.example.com.