Thanks everyone for the comments.
I had another response off-list from a v9.1 user (I run v9.2H03) and his system
actually has a trap mapped in Cisco_router\AlertMap file for the 0x00210c0e
event with the four varBinds. Sounds like the mystery is solved, so I looked
in my Cisco_router\AlertMap file for that same trap OID and it points to
something different.
# ciscoSyslogMIBNotification
1.3.6.1.4.1.9.9.41.2.6.1 0x00210d40 1.3.6.1.4.1.9.9.41.1.2.3.1.2(1,0)\
1.3.6.1.4.1.9.9.41.1.2.3.1.3(2,0)\
1.3.6.1.4.1.9.9.41.1.2.3.1.4(3,0)\
1.3.6.1.4.1.9.9.41.1.2.3.1.5(4,0)\
1.3.6.1.4.1.9.9.41.1.2.3.1.6(5,0)
So I go hunting in the EventDisp file for the 0x00210d40 event to see what it
does…
And I get this:
0x00210d40
Thats it! That above on an otherwise blank line. So how does that even work?
This whole goose hunt started because I was seeing MAJOR alarms on some syslog
events and not others which looked identical (cause codes were different, and
that's where the original 210c0e came in). I think the answer is in the event
on the next line:
0x00210d41 P " \
If( \
Regexp( \
GetEventVariable( { U 4 } ), \
{ S \"%.*?-.*?-(.*?):\" } ), \
CreateEventWithAttributes( \
{ C CURRENT_MODEL }, \
{ H 0x00210d40 }, \
SetEventVariable( \
GetEventVariableList(), \
{ U 3 }, \
GetRegexp( \
GetEventVariable( { U 4 } ), \
{ S \"%.*?-.*?-(.*?):\" }, \
{ U 1 } ))), \
CreateEventWithAttributes( \
{ C CURRENT_MODEL }, \
{ H 0x00210d42 }, \
SetEventVariable( \
SetEventVariable( \
CreateEventAttributeList(), \
{ U 1 }, \
GetEventVariable( { U 4 } )), \
{ U 2 }, \
{ S \"could not extraxt mnemonic from syslog message\" } )))"
You can see that it references the 210d40 event, but how does this event even
get called? The trap map points to the event right above it and it's blank! It
looks like 210d41 creates 210d40 on-the-fly, but something has to initiate it.
-K
On Oct 26, 2011, at 6:00 AM, Mark Serencha wrote:
> Hi list,
>
> Here's some information from Spectrum 9.1
> I had to add some event handling for DUPLEX_MISMATCH once upon a time.
>
> Cisco Router, Switch, and Firewall devices log many internal events in the
> device's system log, or syslog. Depending upon device configuration, these
> syslog events may be sent to Spectrum using traps.
> Spectrum uses the values of three trap variables to map the trap to a
> Spectrum Event ID. These mappings are contained in three text files on the
> SpectroSERVER:
>
> - $SPECROOT/SS/CsVendor/Cisco_Router/Rtr.txt
> - $SPECROOT/SS/CsVendor/Ctron_CAT/Switch.txt
> - $SPECROOT/SS/CsVendor/CiscoPIX/Pix.txt
>
> These text files have the following internal fields, separated by spaces:
>
> - An abbreviated classification, for example RCMD or SNMP
> - A Cisco severity level, a digit from 0 to 4
> - An abbreviated text description, for example AUTHFAIL
> - A Spectrum Event ID
>
> For example:
> CDP 4 DUPLEXMISMATCH 0x011c0214
>
> Further information about the configuration of these text files can be found
> in CA Spectrum manual #5127, titled Cisco Applications User Guide.
> In 9.2, the manual name is Spectrum_Cisco_Device_Management_ENU.pdf
>
> HTH,
> --Mark S
>
> Mark Serencha - Inforonics Global Services, LLC - (m) +1-781-439-0519 -
> Mark.Serencha_AT_inforonics.com
>
> -----Original Message-----
> From: Sorrell, Al [mailto:[email protected]]
> Sent: Wednesday, October 26, 2011 8:05 AM
> To: spectrum
> Subject: RE: [spectrum] Event Configuration
>
> That particular event handles undefined SYSLOG traps from Cisco devices and
> has 3 varbinds:
> # varbind 1 (v 1) is the facility, e.g., CRYPTO # varbind 2 (v 2) is the
> numeric severity level, e.g., 4 # varbind 3 (v 3) is the message type, e.g.
> RECVD_PKT_INV_SPI
>
> I also spent a long time trying to trace the actual source of that event, but
> finally gave up and just used it. It's a way to handle various SYSLOG trap
> events that aren't handled in $SPECROOT/SS/CsVendor/Cisco_Router/Rtr.txt
> and/or Ctron_CAT/Switch.txt, e.g.
> 0x210c0e R CA.EventCondition, \
> "({v 1} == {S \"AUTHMGR\"} && {v 3} == {S \"SUCCESS\"})" , "0xfff00002
> -:-", \
> "({v 1} == {S \"AUTHMGR\"} && {v 3} == {S \"START\"})" , "0xfff00002 -:-", \
> "({v 1} == {S \"AUTHMGR\"} && {v 3} == {S \"FAIL\"})" , "0xfff00002 -:-", \
> "({v 1} == {S \"BGP\"} && {v 3} == {S \"ADJCHANGE\"})" , "0xfff00020 -:-", \
>
> ...
>
>
>> -----Original Message-----
>> From: Kenneth Kirchner [mailto:[email protected]]
>> Sent: Tuesday, October 25, 2011 10:06 PM
>> To: spectrum
>> Subject: [spectrum] Event Configuration
>>
>> Can someone tell me how to find out what variables are available in an
>> event like 0x00210c0e? This event feeds 4 others, but I cannot determine
>> where it comes from or what is stored in it's variables.
>> I have grep'ed the entire spectrum directory for it and I have only
>> found the EventDisp which is what I already know. I know it's caused
>> by Syslog traps, but how? I can't find anything in any AlertMap files.
>> ---
>> To unsubscribe from spectrum, send email to [email protected] with the
>> body: unsubscribe spectrum [email protected]
>
> T. Rowe Price (including T. Rowe Price Group, Inc. and its affiliates) and
> its associates do not provide legal or tax advice. Any tax-related
> discussion contained in this e-mail, including any attachments, is not
> intended or written to be used, and cannot be used, for the purpose of (i)
> avoiding any tax penalties or (ii) promoting, marketing, or recommending to
> any other party any transaction or matter addressed herein. Please consult
> your independent legal counsel and/or professional tax advisor regarding any
> legal or tax issues raised in this e-mail.
>
> The contents of this e-mail and any attachments are intended solely for the
> use of the named addressee(s) and may contain confidential and/or privileged
> information. Any unauthorized use, copying, disclosure, or distribution of
> the contents of this e-mail is strictly prohibited by the sender and may be
> unlawful. If you are not the intended recipient, please notify the sender
> immediately and delete this e-mail.
>
>
> ---
> To unsubscribe from spectrum, send email to [email protected] with the body:
> unsubscribe spectrum [email protected]
>
> ---
> To unsubscribe from spectrum, send email to [email protected] with the body:
> unsubscribe spectrum [email protected]
---
To unsubscribe from spectrum, send email to [email protected] with the body:
unsubscribe spectrum [email protected]
