Maintenance is complete- We've moved from the saas.hpe.com domain to softwaregrp.com click to read more
As part of our journey to complete our separation work and our future integration with Micro Focus, we've now updated our domain for the community. This is an interim step, which will be followed by a series of future update / improvements: - Piloting Idea boards - Refreshing the entire UI. (more to come later) - and more
Systems Management (OpenView-OP Mgmt) Practitioners Forum
cancel

Pattern Matching in OM

ramesh9
Acclaimed Contributor.

Pattern Matching in OM

OMU 9.x with OVO agent 11.x on HP Unix servers

 

I receive SNMP trap from NNM server and I need to pattern match for setting severity of the message.

 

The severity which I am interested is Critical, Major and Minor and Normal.

 

The message which I am trying to pattern match is,

 

1.3.6.1.4.1.11.2.17.19.2.2.20 (OctetString): .1.3.6.1.4.1.18568.2.1.1.2.2.1.13=22,.1.3.6.1.4.1.18568.2.1.1.2.8.1.1=23,.1.3.6.1.4.1.18568.2.1.1.3.1.3.1.2.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.2.4294967295.132192.4.2=1,.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.3=2,.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.4=3,.1.3.6.1.4.1.11.2.17.2.2.0=94.56.246.102,cia.snmpoid=.1.3.6.1.4.1.18568.2.1.1.5.0.6,cia.address=94.56.246.102,cia.originaladdress=127.0.0.1,cia.tenant.name=SAN,cia.tenant.uuid=d5e94736-2269-4117-8d32-e4270103da87,cia.securityGroup.name=SAN,cia.securityGroup.uuid=6ed47082-925d-4e83-adf4-c4f94d3b3775

 

The pattern which I had developed is for capturing Critical and Major message is,

 

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=<[1|2]>,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$

 

and for Minor message is,

 

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=<[3]>,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$

 

and for Normal message is,

 

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=<[5]>,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$

 

The severity is indicated by 3rd variable in the message.

 

When I apply pattern match for each severity in seperate conditions in SNMP policy in following order,

 

Normal

Critical | Major

Minor

 

I am seeing Normal, Critical, Major works.

 

When Minor severity message arrives I am getting Critical or Major severity alert and I am seeing the condition for Critical | Major is executed.

 

I tried to change the order in snmp trap policy but end-result is same.

 

Is the pattern matching I am trying to do is fine or are there better alternatives.

 

Please help.

5 REPLIES
Highlighted
m_vidyasagar
Acclaimed Contributor.

Re: Pattern Matching in OM

Try the below for Minor message :

^<*.var0>=<*.domain>,<*.var1>=<*.resource>,<*.var2>=3,<*.var3>=<*.eventstate>,<*.var4>=<*.eventprevstate>,<*>$
- Vidyasagar Machani -

Tell me and I forget. Teach me and I remember. Involve me and I learn. -- Benjamin Franklin
ramesh9
Acclaimed Contributor.

Re: Pattern Matching in OM

Hello Vidyasagar

 

I had allready tried this and it did not work.

 

In my SNMP policy the order in which condition for each severity is,

 

Critical

Normal

Minor

 

When I set the pattern matching you had specified in Minor condition, it is not been captured by Minor condition.

Instead the message is captured by Critical condition and raises a Critical alarm.

m_vidyasagar
Acclaimed Contributor.

Re: Pattern Matching in OM

Hi Ramesh,

I see strange behaviour with the pattern matching.

I tried testing the same using the log file policy and I say that only the first rule is matching.

Check out the below snapshot ( Same has been attached as well ).

As per your Trap , var2 should always match .1.3.6.1.4.1.18568.2.1.1.3.1.3.1.2.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.2.4294967295.132192.4.2

If var2 matches correctly then the proper alert is triggered if not it triggers the improper alert ( say, instead of Minor it triggers Critical\Major ) in those cases var2 variable is showing as .1.3.6.1.4.1.18568.2.1.1.3.1.3.1.2.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.2.4294967295.132192.4.2=3

Just looking, if there are any other ways to get through this.
- Vidyasagar Machani -

Tell me and I forget. Teach me and I remember. Involve me and I learn. -- Benjamin Franklin
m_vidyasagar
Acclaimed Contributor.

Re: Pattern Matching in OM

Hi Ramesh,

Fedup with internet policies. I have sent you the image in private chat. please check.
- Vidyasagar Machani -

Tell me and I forget. Teach me and I remember. Involve me and I learn. -- Benjamin Franklin
ramesh9
Acclaimed Contributor.

Re: Pattern Matching in OM

Hello Vidyasagar

 

Thanks for your help, allthough did not get your image in private message, might have been blocked.

 

I checked again and I am seeing if following varbind,

 

.1.3.6.1.4.1.18568.2.1.1.3.1.18.1.3

 

has value 2

 

then the sub-pattern,

 

<*.var2>=[1|2]

 

is getting matched.

 

If .1.3.6.1.4.1.18568.2.1.1.3.1.18.1.3 has value other than 2, then the sub-pattern 

 

<*.var2>=[1|2]

 

is not getting matched.

 

Now looking for further options to enhance.

 

If you have any inputs please share.