nv-l
[Top] [All Lists]

RE: [nv-l] Has anyone implemented the full TEC integration (correlation

To: <nv-l@lists.us.ibm.com>
Subject: RE: [nv-l] Has anyone implemented the full TEC integration (correlation rules) NV 7.1.4 and TEC 3.9
From: "Van Order, Drew \(US - Hermitage\)" <dvanorder@deloitte.com>
Date: Sun, 18 Jan 2004 16:03:33 -0600
Delivery-date: Sun, 18 Jan 2004 22:36:03 +0000
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
Importance: normal
Reply-to: nv-l@lists.us.ibm.com
Sender: owner-nv-l@lists.us.ibm.com
Thread-index: AcPc6i7VbWb2mSLWTNiIriuOk5eZeQBIHFHw
Thread-topic: [nv-l] Has anyone implemented the full TEC integration (correlation rules) NV 7.1.4 and TEC 3.9
3.9. I have not heard back from my engineer regarding the trace files
and screen captures. Having both this and TFNC running simultaneously is
great. My TEC console shows that both TFNC and NV see the same thing,
and I actually prefer NV's use of interface names rather than IP
addresses. What I don't yet understand is why there are HARMLESS events
still not closed, though it appears some actually did close at one
point. Some of the HARMLESS events are marked Response as the status. I
changed netview.rls to look back 10 hours in the rule cache versus 10
minutes since not all network occurrences are resolved by the next
netmon polling cycle ;-)

So, it seems to work, I just need to understand things better and see if
it is possible to change severities so events can come in as FATAL by
default without breaking the escalation rules. 

Drew

-----Original Message-----
From: owner-nv-l@lists.us.ibm.com [mailto:owner-nv-l@lists.us.ibm.com]
On Behalf Of Jane Curry
Sent: Saturday, January 17, 2004 4:23 AM
To: nv-l@lists.us.ibm.com
Subject: Re: [nv-l] Has anyone implemented the full TEC integration
(correlation rules) NV 7.1.4 and TEC 3.9


Drew,
What version of TEC are you on - do you have 3.8 or 3.9??  There have 
been some subtle but I think useful changes with netview.rls in 3.9.  
With TEC 3.8, the root-cause event was defined to be an interface.  With

3.9 if there is a router down (as opposed to a node down) event, then 
the root-cause is the router down, rather than interface(s) down.

Cheers,
Jane

Van Order, Drew (US - Hermitage) wrote:

>You are right, Jane. I did some research this AM. I have been sending
>screen shots to the engineer working my PMR, and also turned tracing on
>within the ruleset. Right now, I have 'simple' events correlating
>nicely, doing everything but closing the event after it's set to
>HARMLESS. In complex outages, I believe the not closing issue leaves
>HARMLESS events in the rules cache (we set our rule cache to get rid of
>CLOSED events as fast as possible), and causes spotty results when
>interfaces flap or bounce over a 15-20 minute period. I am really
>impressed with how quickly it correlates and manages a server's basic
>interface/node 'down then up' 5 minutes later.
>
>I'll keep you posted as well--many thanks!--Drew
>
>-----Original Message-----
>From: owner-nv-l@lists.us.ibm.com [mailto:owner-nv-l@lists.us.ibm.com]
>On Behalf Of Jane Curry
>Sent: Friday, January 16, 2004 2:05 PM
>To: nv-l@lists.us.ibm.com
>Subject: Re: [nv-l] Has anyone implemented the full TEC integration
>(correlation rules) NV 7.1.4 and TEC 3.9
>
>
>I think that the only stuff that disabling state correlation affects is

>if you are wanting to correlate service events from NetView with subnet

>events from NetView.  Certainly I have some node/router/interface 
>up/down correlation going on.  I shall be doing more work on this week 
>so I'll keep you posted?
>
>Cheers,
>Jane
>
>Van Order, Drew (US - Hermitage) wrote:
>
>  
>
>>Jane wins the prize--disabling state correlation now has events
>>appearing in TEC...and the up's are HARMLESS, the downs/unreachable
>>WARNING. Unfortunately, I'm not seeing the up or reachable again
events
>>closing the corresponding downs and unreachables. Does the state
>>correlation option somehow enable the change rules in netview.rls?  
>>
>>-----Original Message-----
>>From: owner-nv-l@lists.us.ibm.com [mailto:owner-nv-l@lists.us.ibm.com]
>>On Behalf Of Jane Curry
>>Sent: Friday, January 16, 2004 2:42 AM
>>To: nv-l@lists.us.ibm.com
>>Subject: Re: [nv-l] Has anyone implemented the full TEC integration
>>(correlation rules) NV 7.1.4 and TEC 3.9
>>
>>
>>Unless you have TEC 3.9 running then comment out the lines:
>>UseStateCorrelation=YES
>>StateCorrelationConfigURL=file:///usr/OV/conf/nvsbcrule.xml
>>
>>and run nvtecia -reload to pick up the modified config.  Even if you
do
>>    
>>
>
>  
>
>>have TEC 3.9, you might start by commenting these lines out to see if
>>    
>>
>it
>  
>
>>is the State Correlation that is getting in the way.
>>
>>Cheers,
>>Jane
>>
>>Van Order, Drew (US - Hermitage) wrote:
>>
>> 
>>
>>    
>>
>>>I really screwed up guys--was looking at the 7.1 guide. The 7.1.4
UNIX
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>Guide has some decent information that gets you going in the right 
>>>direction. I ran the upgrade script and cycled the daemons. 
>>>Unfortunately, I see no events at TEC, nothing in wtdumprl, and 
>>>nothing in the /etc/Tivoli/tec cache files. I know TEC_ITS.rs exists 
>>>because I looked at it yesterday. Old tecint.conf:
>>>
>>>ServerLocation=dsmrdux02
>>>TecRuleName=Trap2Tec.rs
>>>ServerPort=0
>>>
>>>New tecint.conf:
>>>
>>>ServerLocation=dsmrdux02
>>>TecRuleName=TEC_ITS.rs
>>>ServerPort=0
>>>DefaultEventClass=TEC_ITS_BASE
>>>BufferEvents=YES
>>>UseStateCorrelation=YES
>>>StateCorrelationConfigURL=file:///usr/OV/conf/nvsbcrule.xml
>>>## The following four lines are for debugging the state correlation
>>>   
>>>
>>>      
>>>
>>engine
>> 
>>
>>    
>>
>>># LogLevel=ALL
>>># TraceLevel=ALL
>>># LogFileName=/usr/OV/log/adptlog.out
>>># TraceFileName=/usr/OV/log/adpttrc.out
>>>
>>>
>>>TFNC events are coming through. Any suggestions? Thank you for your 
>>>patience--Drew
>>>
>>>   -----Original Message-----
>>>   *From:* owner-nv-l@lists.us.ibm.com
>>>   [mailto:owner-nv-l@lists.us.ibm.com] *On Behalf Of *James Shanks
>>>   *Sent:* Thursday, January 15, 2004 2:39 PM
>>>   *To:* nv-l@lists.us.ibm.com
>>>   *Subject:* RE: [nv-l] Has anyone implemented the full TEC
>>>   integration (correlation rules) NV 7.1.4 and TEC 3.9
>>>
>>>
>>>   Drew -
>>>
>>>   The phrase "nvserverd.baroc" does not appear anywhere in the 7.1.4
>>>   Admin Guide and the section Chris pointed to has revision bars on
>>>   every page indicating that is new and changed material.  Are you
>>>   certain that you are reading the 7.1.4 version?
>>>
>>>   James Shanks
>>>   Level 3 Support  for Tivoli NetView for UNIX and Windows
>>>   Tivoli Software / IBM Software Group
>>>
>>>
>>>
>>>     *"Van Order, Drew \(US - Hermitage\)" <dvanorder@deloitte.com>*
>>>   Sent by: owner-nv-l@lists.us.ibm.com
>>>
>>>   01/15/2004 02:59 PM
>>>   Please respond to nv-l
>>>
>>>            
>>>           To:        <nv-l@lists.us.ibm.com>
>>>           cc:        
>>>           Subject:        RE: [nv-l] Has anyone implemented the full
>>>   TEC integration (correlation rules) NV 7.1.4 and TEC 3.9
>>>
>>>
>>>
>>>
>>>   Thank you. I read this yesterday, but it's older information,
>>>   referencing nvserverd.baroc, when it's now netview.baroc. I guess
>>>   that's my point; there are fragments of information in different
>>>   documents. I only found the new files because I was pointed to the
>>>   release notes! You have to piece it together as best you can and
>>>   hope what you are reading is correct. I'm very grateful for you
>>>   folks on the list. If this new correlation works, it is material
>>>   for a chapter in a redbook or the next set of NV manauls.
>>>   -----Original Message-----*
>>>   From:* owner-nv-l@lists.us.ibm.com
>>>   [mailto:owner-nv-l@lists.us.ibm.com] *On Behalf Of *Christopher
>>>   Haynes*
>>>   Sent:* Thursday, January 15, 2004 11:51 AM*
>>>   To:* nv-l@lists.us.ibm.com*
>>>   Subject:* RE: [nv-l] Has anyone implemented the full TEC
>>>   integration (correlation rules) NV 7.1.4 and TEC 3.9
>>>
>>>
>>>   Drew,
>>>          Check out the stuff starting at the bottom of page 110 of
>>>   teh NetView Administrator's Guide.
>>>
>>>
>>>   
>>>
>>>      
>>>
>>http://publib.boulder.ibm.com/tividd/td/netview/SC32-1246-00/en_US/PDF
/
>>    
>>
>d
>  
>
>>uyl2mst.pdf
>> 
>>
>>    
>>
>>>   thanks,
>>>   Chris Haynes
>>>   haynesch@us.ibm.com
>>>   Tivoli Quality Assurance Manager
>>>   (919) 224-1217
>>>
>>>
>>>
>>>     *"Van Order, Drew \(US - Hermitage\)" <dvanorder@deloitte.com>*
>>>   Sent by: owner-nv-l@lists.us.ibm.com
>>>
>>>   01/15/2004 12:32 PM
>>>   Please respond to nv-l
>>>
>>>            
>>>          To:        <nv-l@lists.us.ibm.com>
>>>          cc:        
>>>          Subject:        RE: [nv-l] Has anyone implemented the full
>>>   TEC integration (correlation rules) NV 7.1.4 and TEC 3.9
>>>
>>>
>>>
>>>
>>>
>>>   No doubt I overlooked something between the KB and manuals--where
>>>   can I find this script? I did a find for TEC_* and tec_* no file
>>>   resembling that name. If you can also point me to where this is
>>>   documented, I would be grateful. Thanks James--Drew
>>>   -----Original Message-----*
>>>   From:* owner-nv-l@lists.us.ibm.com
>>>   [mailto:owner-nv-l@lists.us.ibm.com] *On Behalf Of *James Shanks*
>>>   Sent:* Thursday, January 15, 2004 11:01 AM*
>>>   To:* nv-l@lists.us.ibm.com*
>>>   Subject:* RE: [nv-l] Has anyone implemented the full TEC
>>>   integration (correlation rules) NV 7.1.4 and TEC 3.9
>>>
>>>
>>>   Drew -
>>>
>>>   I'm stumped about what is confusing to you.
>>>   There is no configuration for you to do, other than run the
>>>   tec_its_upgrade script and create a new tecint.conf (which happens
>>>   nicely if you rename your old one and create a new one from
>>>   serversetup).
>>>
>>>   The script changes the configuration of the NetView events in
>>>   trapd.conf so that they work with the new TEC rules.  It makes
>>>   TEC_ITS_BASE the new default event class instead of the old
>>>   Nvserverd_Event  class.  And it removes severity as passed field,
>>>   because severity will be set dynamically by the new TEC rules, and
>>>   they cannot do that correctly if you are sending your choice of
>>>   severity instead.  The NetView ruleset is the same one we shipped
>>>   in NetView 7.1.3 :  TEC_ITS.rs.  Bring it up in the NetView
>>>   ruleset editor and you'll see that it just picks out specific
>>>   NetView events and sends them to TEC.  If you want additional
>>>   events, from Cisco or something, you'll have to add those, but
>>>   those lie outside of the new integration.
>>>
>>>   That's all there is to the NetView side.
>>>
>>>   James Shanks
>>>   Level 3 Support  for Tivoli NetView for UNIX and Windows
>>>   Tivoli Software / IBM Software Group
>>>
>>>     *"Van Order, Drew \(US - Hermitage\)" <dvanorder@deloitte.com>*
>>>   Sent by: owner-nv-l@lists.us.ibm.com
>>>
>>>   01/15/2004 11:24 AM
>>>   Please respond to nv-l
>>>
>>>            
>>>         To:        <nv-l@lists.us.ibm.com>
>>>         cc:        
>>>         Subject:        RE: [nv-l] Has anyone implemented the full
>>>   TEC integration (correlation rules) NV 7.1.4 and TEC 3.9
>>>
>>>
>>>
>>>
>>>
>>>
>>>   I started on it last night, and it does have some very useful
>>>   information. Unfortunately the NV side is where I am struggling
>>>   the most; namely the trap configurations and NV forwarding
>>>   ruleset. Until that is understood and confirmed configured
>>>   correctly to match what TEC expects it's tough to tell how well
>>>   the TEC rule is working. I just opened a sev 3 PMR; also offered
>>>   to help write any documentation that could be considered a guide.
>>>   Like most IT folks, I don't have the luxury of focusing on one
>>>   project at a time, and really need to slam and jam when solutions
>>>   are deemed shrink wrap.
>>>
>>>   Thanks for looking into this!
>>>   -----Original Message-----*
>>>   From:* owner-nv-l@lists.us.ibm.com
>>>   [mailto:owner-nv-l@lists.us.ibm.com] *On Behalf Of *Christopher
>>>   Haynes*
>>>   Sent:* Thursday, January 15, 2004 9:57 AM*
>>>   To:* nv-l@lists.us.ibm.com*
>>>   Subject:* Re: [nv-l] Has anyone implemented the full TEC
>>>   integration (correlation rules) NV 7.1.4 and TEC 3.9
>>>
>>>
>>>   Drew,
>>>        I don't know if you have looked at it yet but you might want
>>>   to check out the TEC 3.9 Rule Set Reference
>>>
>>>
>>>   
>>>
>>>      
>>>
>>http://publib.boulder.ibm.com/tividd/td/tec/SC32-1282-00/en_US/PDF/eco
s
>>    
>>
>m
>  
>
>>st.pdf
>> 
>>
>>    
>>
>>>   It goes into detail about what all the rulesets do (including
>>>   netview.rls)
>>>
>>>   thanks,
>>>   Chris Haynes
>>>   haynesch@us.ibm.com
>>>   Tivoli Quality Assurance Manager
>>>   (919) 224-1217
>>>
>>>     *"Van Order, Drew \(US - Hermitage\)" <dvanorder@deloitte.com>*
>>>   Sent by: owner-nv-l@lists.us.ibm.com
>>>
>>>   01/14/2004 08:09 PM
>>>   Please respond to nv-l
>>>
>>>            
>>>        To:        <nv-l@lists.us.ibm.com>
>>>        cc:        
>>>        Subject:        [nv-l] Has anyone implemented the full TEC
>>>   integration (correlation rules) NV 7.1.4 and TEC 3.9
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>   If there is a single document, can someone point me to it? I've
>>>   found pieces and parts in the different manuals, but it's not
>>>   working out of box (as advertised by our sales team):
>>>
>>>       * Netview.baroc and netview.rls in rulebase
>>>       * Netview6000 traps in NV ruleset TEC adapter uses
>>>       * Netview6000 traps have TEC_ITS event classes mapped in
>>>   
>>>
>>>      
>>>
>>xnmtrap
>> 
>>
>>    
>>
>>>         Events reach TEC, but severities do not make sense, and I'm
>>>         sure this means any change rules in the ruleset will not
>>>         execute. For example, TEC_ITS_INTERFACE_STATUS is HARMLESS
>>>         at TEC, yet message is interface xxx is down. However, I
>>>         have a SEGMENT_STATUS and NETWORK_STATUS event as WARNING in
>>>         TEC, but the message indicates they are up. The netview6000
>>>         traps are set from previous versions where TEC classes were
>>>         OV_. I directly edited TEC classes for each trap in xnmtrap,
>>>         but I think this issue pertains to TEC slots that are not
>>>         being passed in the trap or matching what the TEC rule
>>>   
>>>
>>>      
>>>
>>expects.
>> 
>>
>>    
>>
>>>         We are trying to replace TFNC, which has been worth every
>>>         penny. Do I need to feed the netview6000 MIB through
>>>         mib2trap again--and will this populate xnmtrap properly?
>>>         What's the name of the mibfile that contains the netview6000
>>>         OID?
>>>
>>>         Sorry for all the questions--since this integration crosses
>>>         NV and TEC boundaries, I'm not sure if a PMR will get me
>>>         anywhere. I think I'm getting close, but there has to be an
>>>         easier way.
>>>
>>>         Thanks--Drew
>>>
>>>         */Drew Van Order/* */
>>>         ESM Architect/* */
>>>         (615) 882-7836 Office/* */
>>>         (888) 530-1012 Pager/*
>>>
>>>         This message (including any attachments) contains
>>>         confidential information intended for a specific individual
>>>         and purpose, and is protected by law. If you are not the
>>>         intended recipient, you should delete this message. Any
>>>         disclosure, copying, or distribution of this message, or the
>>>         taking of any action based on it, is strictly prohibited.
>>>
>>>         This message (including any attachments) contains
>>>         confidential information intended for a specific individual
>>>         and purpose, and is protected by law. If you are not the
>>>         intended recipient, you should delete this message. Any
>>>         disclosure, copying, or distribution of this message, or the
>>>         taking of any action based on it, is strictly prohibited.
>>>
>>>         This message (including any attachments) contains
>>>         confidential information intended for a specific individual
>>>         and purpose, and is protected by law. If you are not the
>>>         intended recipient, you should delete this message. Any
>>>         disclosure, copying, or distribution of this message, or the
>>>         taking of any action based on it, is strictly prohibited.
>>>
>>>         This message (including any attachments) contains
>>>         confidential information intended for a specific individual
>>>         and purpose, and is protected by law. If you are not the
>>>         intended recipient, you should delete this message. Any
>>>         disclosure, copying, or distribution of this message, or the
>>>         taking of any action based on it, is strictly prohibited.
>>>
>>>
>>>This message (including any attachments) contains confidential 
>>>information intended for a specific individual and purpose, and is 
>>>protected by law. If you are not the intended recipient, you should 
>>>delete this message. Any disclosure, copying, or distribution of this

>>>message, or the taking of any action based on it, is strictly
>>>   
>>>
>>>      
>>>
>>prohibited.
>> 
>>
>>
>> 
>>
>>    
>>
>
>  
>

-- 
Tivoli Certified Consultant & Instructor
Skills 1st Limited, 2 Cedar Chase, Taplow, Bucks, SL6 0EU, UK
Tel: +44 (0)1628 782565
Copyright (c) 2004 Jane Curry <jane.curry@skills-1st.co.uk>.  All rights
reserved.





This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law.  If 
you are not the intended recipient, you should delete this message.  Any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, is strictly prohibited.


<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web