6.5.4 Configuring Event Filters

 

When events are generated from devices in a network, you can configure WebNMS to send some notifications. You can use Event Filters to configure WebNMS to automatically initiate actions for select Events.

 

WebNMS supports the following types of built-in filter notifications :

The processed events are stored in a database and can be viewed in the Events Viewer. The Events Viewer is asynchronously notified as soon as an event is processed.

 

You can configure an Event Filter using the Event Filter Configuration tool. You can use the properties of the event object or of the associated trap (if the event has been generated by a trap) in some of the fields, such as the Suppress Event notification, Run Command notification, Send Trap notification, and Send E-mail notification.

 

Note: In cases where the event has been generated by a trap, the PDU information of the associated trap that generated the event can be used as tokens. For more information, see Trap Protocol Data Unit Information in Appendix.

 

A custom filter can be configured to enable more effective event correlation and fault management by adding application-specific rules when processing events and alarms. However, this should be done by a developer and not by an administrator.

 

The rest of the page will cover the following items :



 

Opening the Event Filter Configuration Tool

 

The Event Filters can be created or modified using the Event Filter Configuration tool.

 

To open the Event Filter Configuration Tool

The Event Filter Configuration UI is displayed.

 

 

 

Top

 

Adding Event Filters

 

To add an Event Filter

    1. From the Event Filter Configuration UI, click the Add Filter icon.

    2. Specify a name for the Event Filter in the Filter Name field.

    3. Specify the required criteria in the Match Criteria section. The Source and Severity fields will be available in the main screen itself. Other properties can be configured by clicking the Advanced button. Refer to the following table for information on the Match Criteria fields.

Field

Description

Source

Match criteria based on the information about the source of the event so that the events matching a source can be filtered out.

Severity

Match criteria based on the severity of the event, such as Critical, Major, and so on. You can also choose the severities from the drop-down menu present next to the Severity field.

Message

Match criteria based on a message of the incoming event, such as Interface failure, Status Poll failed, and so on.

Category

Match criteria based on an event object property with a category name to which the event belongs. This is used to organize events.

Domain

Match criteria based on an event object property with any domain-specific information. The information might be based upon the physical location, or the functional or logical categorization of the source of the event. The domain name of the event displays events of a particular domain.

Network

Match criteria based on the information about the network to which the source of the event belongs. Using this criteria, events belonging to a particular network are displayed.

Node

Match criteria based on any additional information (name of the node) about the source of the event.

Entity

Match criteria based on the information about an exact device in which a problem has occurred.

 

The values that you specify in the Match Criteria determine whether the incoming event should be filtered or not. If this field is left blank, it is automatically matched. For the Event Filter to be applied, all the match criteria specified must be satisfied. If even one criterion fails, the filter will not be applied. The following expressions can be used while specifying the match criteria:

      • Wildcard - Asterisk (*) Use to signify a match of 0 or more characters of any value. Example: Failed* matches any string starting with Failed. Expressions, such as *, *Failed, Fai*led*, can be used.

      • Negation - Exclamation (!) Used at the start of the field to specify exclusion of events matching this expression. Example: !Failed excludes strings starting with Failed.

      • Separator - Comma (,) Used to specify multiple values for a single match criterion by separating them with commas. Example: Critical, Major will match a string which is either Critical or Major.

The following combinations can be used while specifying match criteria.

      • * AND , : This combination can be used to obtain the combined result of two matching criteria that signifies a match of 0 or more characters for the given criteria. Example: (*x,*y) is tokenized into *x and *y and only data ending with x and y is matched.

      • ! AND , : This combination can be used to obtain the exclusion of events matching two criteria. Example: (!x,!y) is considered an AND operation. Hence all data starting with (x,y) will not be matched.

      • a,b : This combination is tokenized into two strings ('a' and 'b'). Therefore this criterion matches 'a,b' and also the data 'a' and 'b'.

To specify additional match criteria for the Event Filter, click More Properties and complete the following steps.

      • Specify the property name in the Property Name field and match criteria in the Property Value field. The match criteria specified must be based on the properties of the com.adventnet.nms.eventdb.Event object including user properties. While specifying additional criteria, specify only those properties that are in the event object. The name should exactly match the case of the event object. You can also add event base properties as match criteria, such as group name, help URL, ID, and time. For more information, refer to Event Properties in User Guide > Appendix.

      • When you are finished adding properties and values, close the More Properties dialog and then click OK in the Match Criteria Properties dialog.
         

    1. The next stage is specifying the filter notification to be triggered, when the new event satisfies the match criteria. The steps involved are as follows :

Note: An Event Filter must have at least one notification associated with it.

      • After configuring the notification values, click the Add button to add the notification to the Filter Action List in the left tree, and click the Add button at the bottom to add to the Actions List.

      • To add more notifications, click Add Action and proceed as above. Click Cancel to abort the operation any time.

    1. When you are finished adding Filter and notifications, click Apply and then OK.

Top

 

Notification Types

 

This section explains the various notification types that you can configure for an Event Filter.

 

 

 

 

Send Trap Action

 

This notification type allows you to send SNMP v1/v2c traps when the incoming event matches this filter criteria. The traps can be configured to have event information if specified. It can be configured to be sent to any desired host.

 

For information on choosing the notification type, refer to the previous section Adding Event Filters. The following fields are present in the Send Trap Action dialog.

 

 

Tab

Field

Description

General

Notification Name

Specify a name for the 'Send Trap' notification

Trap Destination

Specify the host to which the trap is to be sent

Destination Port

Specify the port to which the trap is to be sent

Trap Community

Specify the string to be set for the generated trap

SysUpTime (secs)

Specify the sysuptime value to be used in the trap

Snmp

v1/v2C

Radio Box to select the type of SNMP trap to be sent

Enterprise

Specify the enterprise OID of the trap. Applicable only to SNMP v1.

Generic Type

Specify the GT number of the trap. Applicable only to SNMP v1.

Specific Type

Specify the ST number of the trap. Applicable only to SNMP v1.

Trap OID*

Specify the OID of the trap that is being sent. Applicable only to SNMP v2c.

List button

Click Add in Filter Action Details section to add Variable Bindings to the trap.

 

OID Value: Specify the value of the Object ID.

SNMP Type: Choose the appropriate SNMP string from the drop-down list.

Set Value: Specify the set value associated with the selected SNMP type.

 

Click Update.

 

To add more Variable Bindings, click Add and specify the values.

Advanced

Handler Impl For Events

Specify the class name that handles the execution of the particular notifier in separate thread for event processing.

Handler Impl for Alerts

Specify the class name that handles the execution of the particular notifier in separate thread for alert processing.

 

To add variable bindings to the trap, click the List button in the Snmp tab in the Trap dialog. The Variable Binding List dialog will be shown.

 

To add a varbind,

    1. Click Add

    2. Choose the SNMP Type from the combo box provided

    3. Specify the value for the varbind in the Set Value field

    4. Click Update

Repeat the above procedure for adding multiple varbinds. The added varbinds will be available in the Variable Binding List Details area.

 

To modify a varbind,

    1. Select the particular varbind from the list area

    2. Modify the SNMP Type or value or both

    3. Click Update

The changes will get reflected in the list area. Given below is a snapshot of the Variable Binding List dialog :

 

 

Top

 

Send E-mail Action

 

This notification type allows you to send e-mails when the incoming event matches this filter criteria.

 

For information on selecting the notification type, refer to the previous section Adding Event Filters. The following fields are present in the Email tab of the Notifications dialog.

 

For all the Send E-mail Action fields (except Recipient's Address and Sender's Address fields), you can specify the value using the event object attributes (and associated trap, if any) using tokens.

 

Tab

Field

Purpose

General

Notification name

Specify a unique name for the notification.

SMTP Account Name

Specify the required SMTP account name configured in mailserver.conf.

Subject

Specify the subject of the e-mail.

Message

Specify the body content of the e-mail.

File Attachment

Files such as log files, can be attached with the mail, which will help the administrator in debugging the fault.

Advanced

Handler Impl For Events

Specify the class name that handles the execution of the particular notifier in separate thread for event processing.

Handler Impl For Alerts

Specify the class name that handles the execution of the particular notifier in separate thread for alert processing.

 

 

To configure SMTP mail server, please refer to the Configurations section.  If the settings are already configured in the notifications.conf file, the settings must be migrated to mailserver.conf file as all SMTP configuration would be referred from the mailserver.conf from WebNMS 5.0 SP1 onwards. Please refer to the README available in the <Web NMS Home>/default_impl/migration for more details.

 

 

 

Making use of the associated trap properties in an event filter, if the event has been generated by a trap

 

When an event is generated by a trap, the associated Trap PDU reference is maintained in the incoming event object, if the parameter TRANSIENT_TRAP_PDU_IN_EVENT under the EventMgr module in NmsProcessesBE.conf  file located in the <WebNMS Home>/conf directory is set true. If the incoming event object has maintained the trap PDU reference, then you can use the properties of the trap, within the configured event filter. The properties of the trap could be used at the level of specifying match criteria (using More option) and also for specifying values of the various action fields. The methodology of using the properties of the trap, using symbolic notations is similar to that of Trap Parsers, except for the following differences: 

  • To access the values of the SNMP OID in the SNMP Variable bindings, the notation should start with % and not with $ as in trap parser.

  • All the special purpose tags should start with % instead and not with $ as in trap parser.

  • To access the SNMP OID in the SNMP Variable bindings, the notation should start with the same @ as in trap parser.

For more information, refer to Appendix.

 

 

Secure mailing (in SSL mode) enabled in the "Send Email" action in event and alerts filters. For more details on how to enable Secure Socket Layer, refer to Enabling SSL communication in a WebNMS section.

 

Top

 

Send SMS Action

 

This notification type allows you to send sms when the incoming event matches this filter criteria.

For information on selecting the notification type, refer to the previous section Adding Event Filters. The following fields are present in the SMS tab of the Notifications dialog.


Tab

Field

Purpose

General

 

Notification name

 

Specify a unique name for the notification.

 

SMS Profile name

Specify the required SMS profile name configured in smsprofile.conf.

 

Message

 

Specify the body content of the sms.


By default, the configuration setting for PostgreSQL database will be enabled in the <WebNMS Home>/conf/SMSServer.conf file. With any other database, the corresponding entries must be uncommented in this file.

 

When using the SMS option, the modem details must be configured in the SMSServer.conf file present in <WebNMS Home>/conf folder.

 

# Lets add a modem

gateway.0=modem1, SerialModem

modem1.port=/dev/ttyUSB0

modem1.baudrate=9600

modem1.manufacturer=Huawei

modem1.model=e173

modem1.protocol=PDU

modem1.pin=

modem1.inbound=no

modem1.outbound=yes

modem1.smsc_number=+919442099997

 

where modem1.smsc_number is the message center number for the particular service provider.

 

Suppress Action

 

This notification type allows you to suppress (drop) events that match the filter criteria, either altogether or multiple events of the same type within a given interval.

 

For information on choosing the notification type, refer to the previous section Adding Event Filters. The following are the fields present in the Suppress tab of the Notifications dialog.

 

Field

Purpose

Notification Name

Specify a name for the notification

Suppress All

This radio button indicates how to suppress incoming events.

  • Yes (selected): Suppresses all subsequent events

  • No (unselected): Allows the first event and suppresses subsequent events during the specified interval.

Suppress Interval

Specify a numeric value (in seconds) to suppress multiple events for a given interval. The first event that matches the configured criteria is allowed and all the subsequent events are suppressed for the given interval. After the suppress interval has elapsed, another event matching the criteria is allowed and the subsequent events are again suppressed, and so on.

The input for this field can be extracted from the event properties by using the replaceable parameter $<Event Property> or from the PDU information contained in the event when the event has been generated from a trap. But in either case, it is imperative to ensure that the value returns a numeric value. For information on PDU, refer to Trap Protocol Data Unit Information section in Appendix.

 

Top

 

Run Command Action

 

This notification type allows you to run a command on the server for events matching the filter criteria. It can be used to invoke a reminder application, or any other system command.

 

For information on choosing the notification type, refer to the previous section Adding Event Filters. The following are the fields present in the Run Command Notification tab of the Notification dialog.

 

Tab

Field

Purpose

General

Notification Name

Specify a name for the 'Run command' notification

System Command

Specify the command to be executed.

 

The command string should be a machine-executable program on the server that does not require a shell (it cannot be a batch or a shell file).

 

Example: dir  - Executing this command lists all the directories under <Web NMS Home> in the message field of the Event

Check boxes for command results

To append output or errors from the command to the event message, check one or both of the check boxes - append output to message and/or append error to message

 

Checking either or both the check boxes results in the command being run synchronously in the main event processing thread. This delays all events that follow the event being processed until the command execution is completed or terminated by timeout

Abort After

Specify the time (in seconds) after which the command execution is to be terminated. i.e., the timeout value of the specified command. This value plays an important role if even one of the above check boxes are checked, since the entire event processing is held up by the command execution.

Advanced

Handler Impl For Events

Specify the class name that handles the execution of the particular notifier in separate thread for event processing.

Handler Impl For Alerts

Specify the class name that handles the execution of the particular notifier in separate thread for alert processing.

 

To use shell scripts or commands, you must invoke the shell as a part of the command string. The command string must contain the full path of the shell where the Event server has started.

 

The fields for which the tokens can be used are the command argument fields and the timeout (Abort After) field of the notification. If the tokens are used for the timeout field, ensure that the dynamically generated value is numeric.

 

Top

 

Custom Filter Notification

 

You can also write your own Java class to perform some actions according to your requirement. This class can be invoked when the incoming events satisfy the filter criteria. This is more of an option for a developer than an administrator. Refer to the Custom Filter Notification section of the Developer Guide for more details.

 

The following are the fields present in the Custom tab of the Notification dialog.

 

 

Tab

Field

Purpose

General

Notification Name

Specify a name for the 'Run command' notification

Program Name

Specify the command to be executed.

 

The command string should be a machine-executable program on the server that does not require a shell (it cannot be a batch or a shell file).

 

Example: dir  - Executing this command lists all the directories under <Web NMS Home> in the message field of the Event

Advanced

Handler Impl For Events

Specify the class name that handles the execution of the particular notifier in separate thread for event processing.

Handler Impl For Alerts

Specify the class name that handles the execution of the particular notifier in separate thread for alert processing.

 

Top

 

Modifying Event Filters

 

To modify the match criteria,

    1. Select the Event Filter to be modified, from the left panel of the Event Filter Configuration dialog.

    2. Add or Modify the criteria as needed.

    3. Click Apply.

    4. Click OK to quit the dialog.

To modify the notifications,

    1. From the left panel of the Event Filter Configuration dialog, select the Event Filter whose notification is to be modified.

    2. Click the Add Action icon of the Actions List panel.

    3. In the Add Action dialog, select the tree node corresponding to the notification that needs to be modified.

    4. Click Edit and make the appropriate changes.

    5. Click OK in the Add Action dialog.

    6. Click Apply to save the changes to the server and then OK to quit the dialog.

Top

 

Event Filter Configuration Files

 

Event Filter information is stored in two configuration files namely event.filters and notifications.conf, both present in the <WebNMS Home>/conf directory. The following is a brief description of the files and their purpose.

 

event.filters : The event filter match criteria and the associated notification names are stored in this file. The notification name is stored in the name parameter of the FILTER_ACTION_NAME tag. Here is a sample entry of event.filters.

 

<EVENT_FILTERS>

<FILTER name="EF1" enable="true" source="s*" stringseverity="Critical">

<FILTER_ACTION_NAME name="NotifybyMail"/>

<FILTER_ACTION_NAME name="NotifybyTrap"/>

<FILTER_ACTION_NAME name="NotifybyCmd"/>

<FILTER_ACTION_NAME name="SuppressEvent"/>

</FILTER>
</EVENT_FILTERS>

 

notifications.conf : As seen above, only the notification names are stored in the event.filters file. The configuration details of the notifications are stored in the notifications.conf file. The main advantage of handling notifications in a separate file is that notifications that are common to both events and alerts can be defined at a single point and reused at both places. As filters are linked with the notifications through the notification names, it is essential that the notification names are maintained unique.

 

Here are sample entries for notifications.conf.

 

<FILTER_ACTION className="com.adventnet.nms.eventdb.SendEmail" smtpAccountName="Default" name="NotifybyMail" attachedfileName="logs/nmserr.txt,logs/stderr.txt" subject="Notification from NMS" message="Event Generated for the Source $source__with Severity $severity and Message : $text"/>

 

The above entry is that of an e-mail notification. The following details are stored :

 

<FILTER_ACTION className="com.adventnet.nms.eventdb.SendTrap" name="NotifybyTrap" timeticks="0" specific="1" version="v1" trap_port="162" generic="6" community="public" peername="192.168.9.14" enterprise="11">

<VARBIND oid="1.1.0" type="STRING" value="test"/>

 

The above entry is that of a trap notification. The following details are stored :

<FILTER_ACTION className="com.adventnet.nms.eventdb.FilterCommand" append="true" errappend="true" name="NotifybyCmd" timeout="30" command="pwd"/>

 

The above entry is that of a 'Run Command' notification. The following details are stored :

<FILTER_ACTION className="com.adventnet.nms.eventdb.FilterAction" suppressInt="60" name="SuppressEvent" suppressAll="false"/>

</FILTER_ACTION>

 

The above entry is that of 'Suppress Event'. The following details are stored :

Note that the name parameter of the FILTER_ACTION_NAME tag in event.filters corresponds to the name parameter of the FILTER_ACTION tag in notifications.conf.

 

Top

 

Loading Event Filter Files

 

To load an Event Filter file

    1. In the Event Filter Configuration dialog box, click Load File. The Load Event Filter From File dialog box is displayed.

    2. Specify the filename.

    3. Click Load.

Note: Any Filters with the same match criteria as that of the existing ones currently listed in the Event Filter UI are replaced with the Event Filters from the file that you load.

 

Top

 

Reordering the Configured Event Filter List

 

To reorder Event Filter list

Top

Enabling and Disabling Event Filters

 

Event Filters can be enabled or disabled using the parameter enable in the event.filters file located in the <WebNMS Home>/conf directory.

 

<EVENT_FILTERS>

<FILTER name="MyEventFilter" enable="true">

<FILTER_ACTION_NAME name="userprop" />

</FILTER>

</EVENT_FILTERS>

 

If the enable value is set to true (default value), the corresponding Filter is enabled; and if it is set to false, it is disabled.

 

Note: The enabling/disabling of Event Filter can done only by editing the event.filters file and not through the Event Filter Configuration tool.

 

Top

 

 

Deleting Event Filters

 

To delete an event filter

    1. Select the filter from the left panel in the Event Filter Configuration dialog,

    2. Click the Delete Filter icon in left panel. A confirmation is asked.

    3. Click Yes to delete the Event Filter.

To delete a filter notification

    1. In the Event Filter Configuration dialog, select the Event Filter in which the notification is to be deleted from the left panel.

    2. Select the notification from the Actions List panel.

    3. Click the Delete Action icon. A confirmation is asked.

    4. Click Yes to delete the notification.

Top

 


Copyright © 2013, ZOHO Corp. All Rights Reserved.