Sample OMNIbus rules for SNMP alerts

IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Agent-based services > SNMP alerts > OMNIbus configuration for SNMP
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2

Sample OMNIbus rules for SNMP alerts

The IBM Tivoli Monitoring V6.2.2 or later Agents installation media has a sample rules files that you add to the Netcool/OMNIbus SNMP Probe configuration.

Tivoli Monitoring SNMP trap mib

The ibm-TIVOLI-CANSYSSG-MIB.include.snmptrap.rules file contains a sample mapping of the IBM Tivoli Monitoring SNMP trap variables to the Default alerts.status fields in OMNIbus. The ibm-TIVOLI-CANSYSSG-MIB.include.snmptrap.lookup file contains these tables:

SituationCategory maps the Tivoli Monitoring $autoSit-Category to OMNIbus @AlertGroup.
SituationSeverity maps the Tivoli Monitoring $autoSit-Severity to OMNIbus @Type: 1 - Problem; 2 - Resolution; and 13 - Information. It also changes the severity of an autoSit-Severity=0 clearing trap to 1 so that the OMNIbus generic_clear automation will correlate events.
SituationSource enumerates the $agentSit-Source that identifies whether the situation was an enterprise situation defined at the Tivoli Enterprise Monitoring Server or a private situation defined in the Private Situation Configuration file located in the agent installation directory, <tema_install_dir>/localconfig/kpc. This table is also use to determine event Class.

Notes on creating the @Identifier & @AlertKey
The ibm-TIVOLI-CANSYSSG-MIB.include.snmptrap.rules use the Tivoli Netcool/OMNIbus Deduplication Automation and Generic Clear Automation. These automations rely on several alert fields, including the Identifier and the AlertKey fields, each of which can be up to 255 characters. The Netcool/OMNIbus rules file standard for setting the Identifier alert field for an SNMP alert is:
 @Identifier = @Node + “ “ + @AlertKey + “ “ + @AlertGroup + “ “ + @Type + “ “
 + @Agent + “ “ + @Manager + “ “ + $specific-trap
Because the AlertKey is included in the information that is used to construct the Identifier, you might encounter truncation problems with 255-character AlertKeys used to create your Identifier.
As implemented in the ibm-TIVOLI-CANSYSSG-MIB.include.snmptrap.rules:
@Identifier = @Node + " " + @AlertKey + " " + $autoSit-Category + " " + @Type  +
" " + @Agent + " " + @Manager + " " + $specific-trap
$autoSit-Category is an enumeration of the @AlertGroup (24 bytes), and is substituted for @AlertGroup to save 23 bytes in the final Identifier. These are the maximum field lengths of the components used to construct the Identifier:

Field Size
@Node Max length 32
$autoSit-Category fixed length 1
@Type Max length 2
@Agent Max length 31
@Manager fixed length 13
$specific-trap fixed length 2
6 space delimiters 6
Total 87

This leaves 168 characters for the @AlertKey (255-87=168). If @AlertKey is defined as $agentSit-Name + " (" + $sitDisplayItem + ")", then $sitDisplayItem must be less than 133 characters (168-35=133).

Field Size
agentSit-Name 32
space delimiter 1
parentheses 2
Total 35

A best practice is to limit $sitDisplayItem to 128 characters to maintain consistency with the IBM Tivoli Monitoring EIF probe rules. The sample rules enforce this limit using
$sitDisplayItem=substr($sitDisplayItem, 1, 128)
Situations written for attribute groups (such as Event Log) that generate pure events can be deduplicated using the $agentSit-Name, but many might require additional information to uniquely identify the event. Use the $sitDisplayItem attribute to construct this additional data. The AlertKey will then be
$agentSit-Name + " (" + $sitDisplayItem + ")"
Use case statements based on the $agentSit-Table field to identify all events based on a specific table.
Use case statements based on the $agentSit-Name if individual situations need unique $sitDisplayItems. The extract command can be used to extract the value of any of the name value pairs from the $sitAttributeList using regex pattern matching. An example is provided in the Sample rules for agentSitPureEvent traps based on the NTEVTLOG $agentSit-Table.
$sitDisplayItem=extract($sitAttributeList,"Description=.(.+).;.*?") 
This command extracts the value of the Description key and removes the quotes.

Compatibility notes
@ExtendedAttr
OMNIbus V7.2 and greater defines the @ExtendedAttr column in the ObjectServer. The nvp functions are provided to allow manipulation of name-value pairs in the @ExtendedAttr alert field. The sitAttributeList varbind is formatted to allow direct mapping into the @ExtendedAttr, but this function is commented out to allow the rules to parse when the MTTRAPD probe connects to an OMNIbus ObjectServer V7.0 or V7.1. Uncomment the two lines in the ibm-TIVOLI-CANSYSSG-MIB.include.snmptrap.rules file that set @ExtendedAttr if you are forwarding events to OMNIbus V7.2 or greater.
#            @ExtendedAttr = $sitAttributeList
@Class

The @Class alert field is used to associate Tivoli Netcool/OMNIbus Tools with Events displayed in the Tivoli Netcool/OMNIbus EventList.
For Tivoli Netcool/OMNIbus 7.2x and below, see the Netcool/OMNIbus documentation for more information on creating and editing classes. By default, these class values are not defined in your ObjectServer.
Setting @Class to a value that is not defined in the OMNIbus ObjectServer causes no problems, but if you prefer to not set the @Class, uncomment this line in the ibm-TIVOLI-CANSYSSG-MIB.include.snmptrap.rules file to clear the @Class field before the event is forwarded to OMNIbus. # @Class = ""
Parent topic:
OMNIbus configuration for SNMP

+
Search Tips | Advanced Search

Field	Size
@Node Max length	32
$autoSit-Category fixed length	1
@Type Max length	2
@Agent Max length	31
@Manager fixed length	13
$specific-trap fixed length	2
6 space delimiters	6
Total	87