Administer > Policies > SNMP Interceptor Policies > SNMP Policy User Interface > Configuring Rules in SNMP Trap Policies

Configuring Rules in SNMP Trap Policies

Rules define the action a policy should take in response to a specific type of incoming event. Each rule consists of the following:

  • A condition for the incoming data

    The condition is the part of a policy that describes the data source.

  • Settings for the outgoing event

    The settings define the actual event data that Operations Connector sends to OMi.

A policy must contain at least one rule. If the policy contains multiple rules, they are evaluated consecutively. After the condition is matched in one rule, rule evaluation stops.

To access

In the Operations Connector user interface, click Create in the toolbar, then click Event > SNMP SNMP Interceptor. The SNMP Trap Policy editor opens. 

Alternatively, double-click an existing SNMP trap policy to edit it.

Click Rules to open the policy Rules page.

Rule types

The rule types are:

  • Event on matched rule. If matched, Operations Connector sends an event to OMi. The event uses the settings defined for the rule. If you do not configure these settings, the default settings are used.

  • Suppress on matched rule. If matched, Operations Connector stops processing and does not send an event to OMi.

  • Suppress on unmatched rule. If not matched, Operations Connector stops processing and does not send an event to OMi.

Tasks

How to configure rules in SNMP trap policies

This task describes how to configure policy rules.

  1. In the Policy Rules section, click Create new rule in the toolbar and select the rule type. Then type a description for the rule. After a rule has been added, you can change the rule type by clicking the current rule type in the list of rules and selecting another rule type from the drop-down list.

    Alternatively, select an existing rule and click Copy rule to copy the rule. You can then rewrite the description of the copied rule and edit the rule.

  2. In the Rule Content section, use the Condition tab to define the match condition for the SNMP traps. You can match SNMP traps generated from a specific node, or SNMP traps with specific IDs.

  3. In the Condition Variable Bindings tab, select the variable bindings you want the policy to read, and write one or more match patterns for each binding. You can use pattern-matching rules when matching variable bindings.

    For example, $2 contains in many SNMP events the hostname of the sender of the SNMP event. To only match events from systems in the domain example.com, use the pattern <*>.example.com:

    Variable binding example

  4. Use the Event Attributes tab to define event attributes (for example, event title and description) for all events generated by this rule.

    After loading the indicators from the connected OMi server, the Indicators tab shows a hierarchy of configuration item types.

    To insert an indicator, drag the indicator with its state from the Indicators tab to the policy.

  5. Use the Event Correlation tab to set the type of duplicate event suppression and define the method used to suppress duplicate events.

  6. Use the Custom Attributes tab to add additional information to all events generated by this rule. For example, you might add a company name, contact information, or a city location to an event.

  7. Use the Advanced tab to define an event drill-down URL, legacy HPOM attributes, and agent ClosedMSI (Message Stream Interface) settings.

Related tasks

UI Descriptions

Policy Rules List

UI Element

Description

Create New Rule: Provides the following options:

  • Event on matched rule. If matched, Operations Connector sends an event to OMi. The event uses the settings defined for the rule. If you do not configure these settings, the default settings are used.

  • Suppress on matched rule. If matched, Operations Connector stops processing and does not send an event to OMi.

  • Suppress on unmatched rule. If not matched, Operations Connector stops processing and does not send an event to OMi.

Copy Rule. Copies the selected rule. You can then rewrite the description of the copied rule and edit the rule.
Delete Rule. Deletes the selected rule.
Move Up. Moves the selected rule higher in the rule order.
Move Down. Moves the selected rule lower in the rule order.
<Move to>

Entered number is used to select the rule with that sequence number in the list of rules.

To select a specific rule in the rule list, type the rule's sequence number in the <Move to> field and click the button.

<Search Rules>

Entered search string is used to search the rule descriptions and highlight only the rules containing the specified string.

To search for rules with specific text strings in the rule description, type the string in the <Search rules> field and click the button. The first matching rule is selected in the list of rules. Click the and buttons to move the previous and next matching rule.

Activate/Deactivate Rule Filter. Activates and deactivates the rule filter.
Seq. Sequence number of the rules. Rules are evaluated in a specific order. When one condition is matched, no additional rules are evaluated.
Rule Description Description of the rule. It is good practice to use a description that helps you remember what the rule does.
Rule Type

The three rule types are:

  • Event on matched rule. If matched, Operations Connector sends an event to OMi. The event uses the settings defined for the rule. If you do not configure these settings, the default settings are used.

  • Suppress on matched rule. If matched, Operations Connector stops processing and does not send an event to OMi.

  • Suppress on unmatched rule. If not matched, Operations Connector stops processing and does not send an event to OMi.

You can change the rule type by clicking the current rule type in the list of rules and selecting another rule type from the drop-down list.

Condition Tab

UI Element

Description

Node

FQDN (Fully Qualified Domain Name), the primary node name, or the IP address of the configuration item for which you want to forward events.

If you only want to match SNMP events from a specific configuration item, type the FQDN (Fully Qualified Domain Name), the primary node name, or the IP address. Give multiple entries with the OR operator (for example, celery.example.com|broccoli.example.com), or leave blank for all configuration items.

Event Object ID

Complete Event Object Identifier for the SNMP trap that you want to match.

For example: .1.3.6.1.4.1.11.2.17.1.0.40000001

SNMPv1 notation

If selected, you can specify only part of the identifier rather than the complete event object ID.

For example, by specifying only the Enterprise ID, you can match all events with a specific Enterprise ID.

Enterprise ID

Enterprise ID for incoming SNMP traps to be compared with this condition. The enterprise ID is a vendor-specific identifier for the trap. Standard Operations Connectorpattern-matching syntax may not be used in this field; however, it is possible to match a range of objects by entering only a prefix. For instance, the pattern:

.1.3.6.1.4.1.11.2.17

would match:

.1.3.6.1.4.1.11.2.17.1

.1.3.6.1.4.1.11.2.17.2

and so on.

Generic ID

Generic Trap ID. Possible values are:

  • (0) ColdStart
  • (1) WarmStart
  • (2) LinkDown
  • (3) LinkUp
  • (4) Authentification
  • (5) EgpNeighborLoss
  • (6) EnterpriseSpecific
  • (7) don't care

If you select (6) EnterpriseSpecific, you can type in the specific trap ID. Select don't care to intercept any kind of trap.

Specific ID Type in the specific trap ID if you have selected (6) EnterpriseSpecific in Generic ID. Enterprise-specific SNMP traps can be implemented by vendors on their specific network devices. The specific trap ID is used to identify the source of the trap.

The SNMP syntax used by the policy editor requires that the trap string begins with a point.

Condition Variable Bindings Tab

UI Element

Description

Creates a new variable binding.
Deletes the selected variable binding.
Opens the Variable Bindings Options page.
Variable

Variable binding you want the policy to read. 1 represents the first variable binding in the event, 2 the second variable, and so on. You do not need to prefix the variable with a dollar sign ($); Operations Connector does this automatically.

Pattern

Match pattern for the binding. You can click the button to open the pattern matching expression toolbox.

For matching patterns, you can use standard pattern-matching rules of Operations Agent. Select the matches operator and click the icon in the Operand field to open the pattern matching toolbox window. The toolbox includes the following sections:

  • Pattern Matching Expressions. Click an expression to insert it into the Operand text box.

  • Variable Bindings Options. Variable binding options include the setting of case sensitivity check and the field separators used in the rule. If you do not specify the pattern matching options for the rule, either the defaults (enabled case sensitivity check; the space and the tab character as the separators) or the default options set for the policy are used.

Event Attributes Tab

UI Element

Description

Title

Brief description of the nature of the event.

Description

Detailed description of the event.

Severity Severity assigned to the event. Accept the severity that is set in the event defaults or choose a specific event severity: Critical, Major, Minor, Warning, Normal.

Category

Name of the logical group to which the event belongs (for example, Database, Security, or Network). The event category is similar in concept to the Operations Manager message group.

Subcategory

Name of the logical subgroup (category) to which the event belongs (for example, Oracle (database), Accounts (security), or Routers (network)).

ETI

Contains the event type indicator (ETI) resolution hint, which OMi uses to associate the event with an ETI and for event correlation.

Use the format <ETI name>:<ETI state>:<metric value>. Specify the name of the indicator (for example, CPULoad), the indicator state (for example, High), and, optionally, the metric value (for example, 80). When OMi receives an event with an ETI resolution hint of CPULoad:High, and the ETI and state exist, the Event Type Indicator attribute is set to CPULoad:High in the event. The metric value is optional and serves informational purposes only.

Node

Name of the system where the event occurred (for example, node.example.com).

Related CI

Contains the CI that is related to the metric (for example, oraclesid01@@node.example.com or C:@@server.example.com). Use the format <CI 1>:<CI 2>:...:<CI n>@@<hostname>.

Best practices for related CIs

It is necessary to differentiate between CIs that have a Composition relationship to a node, and those that do not have such a relationship:

  • For “hosted on” CIs

    <key attribute 1>:<key attribute 2>:<key attribute n>@@<hostname>

    Typically, a “hosted on” CI is a sub-type of “Running Software”. For example, a CI of type websphereas has a Composition relationship to a node.

  • For virtual CIs

    <key attribute 1>:<key attribute 2>:<key attribute n>

    A virtual CI does not have a strong containment relationship (Composition relationship) to node.

    An example of a typical virtual CI type is cluster. This CI type does not have a strong containment relationship to a node.

    If you have problems resolving non-hosted CIs, provide the RTSM ID of the desired CI by using the format UCMDB:<ci_uuid>.

For more information about CI resolution in OMi, see the OMi Help.

Sub Component

Information used to identify a subcomponent of a CI. This CI subcomponent is used to calculate an aggregated status within OMi's Service Health for selected CIs.

If an HI is populated by events from multiple components, you can specify a component name in this field in order to ensure the correct calculation of the HI state.

For example, if you have a Computer CI with two CPUs, cpu #1 and cpu #2, events from both CPUs will be sent to the same CPU Load HI. By default, the events will override each other and create an incorrect HI state. To prevent this, you can populate Sub Component with values "cpu #1" and "cpu #2" which will cause the HI state to be calculated as an aggregated state between the two events.

Source CI

Contains the source related CI. For example, type the name and instance of the third-party system that provides events (for example, NNMi@@mgmt1.example.com or SCOM@@mgmt2.example.com).

If you enter a source related CI, OMi tries to find the corresponding CI in the RTSM.

Source Event ID

ID of the event in the third-party system. This ID is required for synchronization of event changes with the source event. It also enables drilldown into the third-party system in the Event Browser in OMi.

The file that the policy reads usually contains the source event ID. If you are working with sample data, you can drag the source event ID from the Sample Data tab and add it to the source event ID field.

Send with closed status (For the Open Message Interface, SNMP Interceptor, and Scheduled Task policies)

Sets the event's lifecycle status to Closed before sending it to OMi.

Event Correlation Tab

UI Element

Description

Event Key An identifier used to identify duplicates and for Close Events with Key.
Event Suppression
Enable Event Suppression

Enables event suppression for the events generated by this policy.

If event suppression is enabled in the event defaults, you can choose to apply them to or override them for this rule:

Use default settings for Event Suppression. Applies the event suppression settings configured in the event defaults to this rule.

Override default settings for Event Suppression: Enables you to configure specific event suppression settings for this policy rule.

Suppress events which are
  • Generated by the same input event. Select this option to suppress events that were sent in response to two separate input events that are identical except for the date and time that the event was generated (for example, identical entries in a log file).

  • Generated by the same rule. Select this option to suppress events that match the pattern specified for the selected rule. This is a more general setting for the suppression of duplicate events. For example, a policy might contain a rule with this match pattern: Error Message<#> The log file lines Error Message10 and Error Message20 are not identical, but would both match this rule.

  • Identical relative to their attributes. Select this option to suppress either events that have the same event key or (if no event key is present) events that have identical event attributes (except for the date and time that the event was generated).

Suppression Method

For event correlation, you can define one of three correlation methods:

  • Time Interval. This correlation method lets you define an interval during which duplicate events will be ignored. For more information, read this detailed example.

    Time interval correlation example

    In the illustration below, the interval is set to 30 seconds, but the suppression is limited to 60 seconds.

    The  represents events that are identical. 

    1. The first input event (E1) matches a rule in the policy.  The policy sends an event and starts timing. 
    2. A second matching event (E2) occurs 25 seconds later. This event occurred less than 30 seconds after the first event, and is therefore suppressed. 
    3. A third matching event (E3 )  occurs less than 30 seconds after the second event, and so is also suppressed. 
    4. The next matching event (E4) occurs less than thirty seconds after the third event, but is also more than 60 seconds after the first event, and therefore the policy sends an event.
  • Counter. This correlation method counts the number of matching input events and sends an event only after the number of matching input events equals the counter threshold. The counter can also be reset to zero after a time period that you specify. For more information, read this detailed example.

    Counter correlation example

     The  represent events that are identical. 

    1. The first input event (E1) matches a rule in the policy, and the counter increments to one.  No event is sent. 
    2. A second matching event (E2 ) occurs, the counter increments to two, an event is sent, and the counter resets.   
    3. A third matching event (E3 ), and the counter increments to one. No event is sent. 
    4. The next matching event (E4) occurs more than thirty seconds after the third event.  Since at thirty seconds the counter was reset to zero, the counter now increments to one. No event is sent.
  • Time Interval/Counter. If you use the Time interval and Counter together, events are evaluated first by the timer. If an event passes the timer, it is then evaluated by the counter, which either suppresses it or sends an event to OMi.

    If you specify just time interval correlation or just counter-based correlation in an individual event, any event defaults for the other correlation method also apply. For example, if you specify time interval correlation for an event, and the event defaults specify counter-based correlation, the combined time interval and counter-based correlation applies to both new rules and existing rules.

    You can change this default behavior, so that only the correlation method that you specify in the individual event applies. To change the default behavior, set the parameter OPC_IGNORE_DEFAULT_MSG_CORRELATION=TRUE in the eaagt namespace on the node. You can configure this parameter using ovconfchg at a command prompt.

Time Interval

Time interval during which duplicate events are ignored.

Suppress for no longer than

Time interval after which duplicate events are no longer ignored.

Counter threshold Value that triggers an event if met or crossed.
Reset counter threshold after

Time interval after which the counter is reset to 0.

Custom Attributes Tab

UI Element

Description

Create New Custom Attribute:

Create New Custom Attribute: Creates a new custom attribute.

Delete Custom Attribute Delete Custom Attribute: Deletes an existing custom attribute.
Name

The name of the custom attribute. The name is case-insensitive.

Custom attributes are additional attributes that contain any information that is meaningful to you. For example, you might add a company name, contact information, or a city location to an event. You can have more than one custom attribute attached to a single event.

The following custom attribute names cannot be used because they are reserved for internal use:

Description

EtiHint

HP_OPR_SAAS_CUSTOMER_ID

NoDuplicateSuppression

RelatedCiHint

SourceCiHint

SourcedFromExternalId

SourcedFromExternalUrl

SubCategory

SubCiHint

Value

Value of the custom attribute.

Advanced Tab

UI Element

Description

Event Drilldown
Event Drilldown URL

URL of the event in thethird-party system. This is the complete path of the URL, and includes the FQDN (fully qualified domain name) of the computer that hosts the third-party system, the communication port, and the root URL path (for example, http://nnmi.example.com:8004/nnm/launch?cmd=showForm&objtype
=Incident&objuuid=$OPC_CUSTOM[nnm.incident.uuid]&menus=true
).

Event drilldown information enables OMi users to launch the user interface of the third-party system in the context of an event.

To drill down to a specific event in the third-party system, add the source event ID to the URL.

This event attribute can also be set by OMi based on an Operations Connector integration server configuration. If a policy and an integration server configuration both set this attribute, the information in the policy takes precedence.

OM Attributes
Application

Application that caused the event to occur. Unlike the Related CI attribute, which is a direct relationship to a CI in the RTSM, the application attribute is a simple string-type attribute (for example, Oracle and OS).

Object

Device such as a computer, printer, or modem. Unlike the Related CI attribute, which is a direct relationship to a CI in the RTSM, the object attribute is a simple string-type attribute (for example, C:, and /dev/spool).

Type

String used to organize different types of events within an event category or subcategory (for example, users or applications, accounts and security).

The attribute is automatically set to BSMC_Message. You can delete the value but it will be inserted when you save the policy.

HPOM Service ID

ID of the service associated with the event. A service ID is a unique identifier for a service and can be used in OMi to identify the node and CI associated with the event.

Agent MSI

The message stream interface (MSI) allows external applications to interact with the internal event flow of Operations Agent. The external application can be a read-write application, for example, an event processing program that can read events, modify attributes, and generate new events for retransmission to the server. The application could also read events, or send its own events.
Divert events If Agent MSI is enabled, diverts an event to the MSI instead of to the server when an event is requested by an external application.
Copy events If Agent MSI is enabled, sends the event to the server, and a copy of the event to the MSI.