|
No way. cat your ruleset again. If the nvcorrd.alog trace shows a leading dot, then that's what is in the ruleset he loaded. And that's what the nvcorrd trace you posted shows
My config is correct in the rules editor. But the output of nvcdebug -n is different. Looks like the Cisco guys might have solved our flooding problem. I still want to get this working for my own sanity though. Sean Lawrence Systems Automation Ext 5728 Greg Keetch <gkeetch@ca.ibm.com> Sent by: nv-l-bounces@lists.ca.ibm.com 10/24/2006 11:27 AM Please respond to Tivoli NetView Discussions To: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com> cc: Subject: Re: [NV-L] Ruleset Editing Questions I saw in another response from you that you removed the leading '.' from the enterprise ID in your ruleset... This output shows that it's still there. Has there been any change since you removed it? Regards, Greg Keetch IT Specialist (Advisor), Network Services Network Management Tools Specialist Information Technology Services Americas (ITSA), Global Services, IBM Canada sean.lawrence@can tire.com Sent by: To nv-l-bounces@list Tivoli NetView Discussions s.ca.ibm.com <nv-l@lists.ca.ibm.com> cc 10/24/2006 08:09 Subject AM Re: [NV-L] Ruleset Editing Questions Please respond to Tivoli NetView Discussions <nv-l@lists.ca.ib m.com> Ok maybe someone can explain what I am seeing here. Why am I still getting a 1.3.6.1.4.1.9.1.400 trap forwarded to TEC? 2006/24/10 09:46:38 CorrelationDef.C[562] : Current running correlation: CorrelationDefinition(0x30033b08) + RootDnode + + RuleSet forwardall.rs + + + Forward(19) Corrnode application=0x303d2888 + + RuleSet test.rs + + + EventAttributes (Attr='EnterpriseID' ne Value='.1.3.6.1.4.1.9.1.400') + + + + EventAttributes (Attr='Origin' ne Value='42.231.8.3') + + + + + EventAttributes (Attr='Origin' ne Value='42.2.1.12') + + + + + + EventAttributes (Attr='Origin' ne Value='42.2.1.13') + + + + + + + EventAttributes (Attr='Origin' ne Value='0.0.0.0') + + + + + + + + Forward(130) Corrnode application=0x30062d18 2006/24/10 10:35:24 .//nl_nvcorrd.C[634] : ===> Received a Trap 2006/24/10 10:35:24 EventData.C[110] : Attr(EnterpriseID='(char,1.3.6.1.4.1.9.1.400)') 2006/24/10 10:35:24 EventData.C[121] : Attr(Generic='(ulong,2)') 2006/24/10 10:35:24 EventData.C[128] : Attr(Specific='0') 2006/24/10 10:35:24 EventData.C[233] : Received event CID(60206) sysOID(1.3.6.1.4.1.9.1.400) Gen(2) Spec(0) 2006/24/10 10:35:24 .//nl_nvcorrd.C[721] : ===> Processing Event =========================== 1 of 1 Event CID(60206) 10:35:24 Attr(EnterpriseID='(char,1.3.6.1.4.1.9.1.400)') Attr(Generic='(ulong,2)') Attr(Specific='0') 2006/24/10 10:35:24 BaseDnodes.C[598] : RootDnode::resolveRootDnode() = TRUE 2006/24/10 10:35:24 BaseDnodes.C[699] : RuleSet::resolve() RuleSetName =forwardall.rs 2006/24/10 10:35:24 CorrDnodes.C[1111] : Forward::resolve() queueing event for forwaring:Event(CID(60206), Attr(E 2006/24/10 10:35:24 BaseDnodes.C[699] : RuleSet::resolve() RuleSetName =test.rs 2006/24/10 10:35:24 EventAttrDnode.C[101] : EventAttributes::resolve(EventAttrDnode(Attr:EnterpriseID ne .1.3.6.1.4. 2006/24/10 10:35:24 EventData.C[121] : Attr(Origin='(ulong,711727166)') 2006/24/10 10:35:24 EventData.C[121] : Attr(sysUpTime='(ulong,3730356673)') 2006/24/10 10:35:24 EventData.C[110] : Attr(Community='(char,public)') 2006/24/10 10:35:24 EventData.C[669] : Event CID=CID(60206) Attributes 2006/24/10 10:35:24 EventData.C[670] : agentAddress=711727166 sysUpTime=3730356673 Community=public 2006/24/10 10:35:24 EventData.C[110] : Attr(1='(char,64)') 2006/24/10 10:35:24 EventData.C[110] : Attr(2='(char,GigabitEthernet10/10)') 2006/24/10 10:35:24 EventData.C[110] : Attr(3='(char,6)') 2006/24/10 10:35:24 EventData.C[110] : Attr(4='(char,Lost Carrier)') 2006/24/10 10:35:24 EventData.C[121] : Attr(Category='(ulong,3)') 2006/24/10 10:35:24 EventData.C[110] : Attr(Source='(char,A)') 2006/24/10 10:35:24 EventData.C[121] : Attr(Severity='(ulong,1)') 2006/24/10 10:35:24 EventAttrDnode.C[101] : EventAttributes::resolve(EventAttrDnode(Attr:Origin ne 42.231.8.3)) = TR 2006/24/10 10:35:24 EventAttrDnode.C[101] : EventAttributes::resolve(EventAttrDnode(Attr:Origin ne 42.2.1.12)) = TRU 2006/24/10 10:35:24 EventAttrDnode.C[101] : EventAttributes::resolve(EventAttrDnode(Attr:Origin ne 42.2.1.13)) = TRU 2006/24/10 10:35:24 EventAttrDnode.C[101] : EventAttributes::resolve(EventAttrDnode(Attr:Origin ne 0.0.0.0)) = TRUE 2006/24/10 10:35:24 CorrDnodes.C[1111] : Forward::resolve() queueing event for forwaring:Event(CID(60206), Attr(E 2006/24/10 10:35:24 EventAttrDnode.C[105] : EventAttributes::resolve(EventAttrDnode(Attr:EnterpriseID eq 1.3.6.1.4.1 2006/24/10 10:35:24 EventAttrDnode.C[105] : EventAttributes::resolve(EventAttrDnode(Attr:EnterpriseID eq 1.3.6.1.4.1 2006/24/10 10:35:24 CorrDnodes.C[230] : ===> Processing actions for forwardall.rs 2006/24/10 10:35:24 CorrDnodes.C[772] : combining Action with empty ForwardCorrAction 2006/24/10 10:35:24 CorrDnodes.C[391] : Forward notification to appl(86080, forwardall.rs, Active) CID(60206) S 2006/24/10 10:35:24 CorrDnodes.C[419] : forwarding EventInst: Event CID(60206) 10:35:24 Attr(EnterpriseID='(char,1.3.6.1.4.1.9.1.400)') Attr(Generic='(ulong,2)') Attr(Specific='0') Attr(Origin='(ulong,711727166)') Attr(sysUpTime='(ulong,3730356673)') Attr(Community='(char,public)') Attr(1='(char,64)') Attr(2='(char,GigabitEthernet10/10)') Attr(3='(char,6)') Attr(4='(char,Lost Carrier)') Attr(Category='(ulong,3)') Attr(Source='(char,A)') Attr(Severity='(ulong,1)') 2006/24/10 10:35:24 CorrDnodes.C[524] : Forwarding buffer. cid=60206 length=148 buffer=0x304104d8 2006/24/10 10:35:24 CorrDnodes.C[526] : severity=99 status=99 causingCID=0 causedCID=0 primeTime=0 2006/24/10 10:35:24 CorrDnodes.C[277] : ===> Completed actions for forwardall.rs forwards=1 overrides=0 resolves 2006/24/10 10:35:24 CorrDnodes.C[230] : ===> Processing actions for test.rs 2006/24/10 10:35:24 CorrDnodes.C[772] : combining Action with empty ForwardCorrAction 2006/24/10 10:35:24 CorrDnodes.C[391] : Forward notification to appl(86080, test.rs, Active) CID(60206) SEV(99) 2006/24/10 10:35:24 CorrDnodes.C[419] : forwarding EventInst: Event CID(60206) 10:35:24 Attr(EnterpriseID='(char,1.3.6.1.4.1.9.1.400)') Attr(Generic='(ulong,2)') Attr(Specific='0') Attr(Origin='(ulong,711727166)') Attr(sysUpTime='(ulong,3730356673)') Attr(Community='(char,public)') Attr(1='(char,64)') Attr(2='(char,GigabitEthernet10/10)') Attr(3='(char,6)') Attr(4='(char,Lost Carrier)') Attr(Category='(ulong,3)') Attr(Source='(char,A)') Attr(Severity='(ulong,1)') 2006/24/10 10:35:24 CorrDnodes.C[524] : Forwarding buffer. cid=60206 length=148 buffer=0x304104d8 2006/24/10 10:35:24 CorrDnodes.C[526] : severity=99 status=99 causingCID=0 causedCID=0 primeTime=0 2006/24/10 10:35:24 CorrDnodes.C[277] : ===> Completed actions for test.rs forwards=1 overrides=0 resolves=0 2006/24/10 10:35:24 .//nl_nvcorrd.C[745] : ===> Finished with the trap ==================================== Sean Lawrence Systems Automation Ext 5728 Greg Keetch <gkeetch@ca.ibm.com> Sent by: nv-l-bounces@lists.ca.ibm.com 10/24/2006 10:25 AM Please respond to Tivoli NetView Discussions To: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com> cc: Subject: Re: [NV-L] Ruleset Editing Questions Hello, The forwardall.rs ruleset is used be default in the Event Display, so this is where it is probably getting loaded. There is no relationship between the rulesets that are used by ESE.automation, Event Display, or TEC forwarding using tecint.conf. Each one has it's own destination for forwarding events to, so the forwardall.rs in the Event Display will not override what the ruleset in tecint.conf for TEC forwarding. Regards, Greg Keetch IT Specialist (Advisor), Network Services Network Management Tools Specialist Information Technology Services Americas (ITSA), Global Services, IBM Canada sean.lawrence@can tire.com Sent by: To nv-l-bounces@list Tivoli NetView Discussions s.ca.ibm.com <nv-l@lists.ca.ibm.com> cc 10/24/2006 06:56 Subject AM Re: [NV-L] Ruleset Editing Questions Please respond to Tivoli NetView Discussions <nv-l@lists.ca.ib m.com> Ok I ran the "nvcdebug -n" command. The output is as follows 2006/24/10 09:46:38 CorrelationDef.C[562] : Current running correlation: CorrelationDefinition(0x30033b08) + RootDnode + + RuleSet forwardall.rs + + + Forward(19) Corrnode application=0x303d2888 + + RuleSet test.rs + + + EventAttributes (Attr='EnterpriseID' ne Value='.1.3.6.1.4.1.9.1.502') + + + + EventAttributes (Attr='Origin' ne Value='42.231.8.3') + + + + + EventAttributes (Attr='Origin' ne Value='42.2.1.12') + + + + + + EventAttributes (Attr='Origin' ne Value='42.2.1.13') + + + + + + + EventAttributes (Attr='Origin' ne Value='0.0.0.0') + + + + + + + + Forward(130) Corrnode application=0x30062d18 I do not know why the forwardall.rs is being loaded. The ESE.automation file is as follows #This file should contain a list of filenames #that will be autmatically started by actionsvr. #Each rule set name is on a separate line; the pund sign #indicates a comment line. #An example line, with the name commented out) is below: #your_ruleset_here.rs Am I correct in assuming that the forwardall.rs is forwarding everything before the test.rs even gets a look at it? Sean Lawrence Systems Automation Ext 5728 James Shanks <jshanks@us.ibm.com> Sent by: nv-l-bounces@lists.ca.ibm.com 10/24/2006 09:16 AM Please respond to Tivoli NetView Discussions To: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com> cc: Subject: Re: [NV-L] Ruleset Editing Questions If you use xnmtrap and set the trap to "Log Only" It will not be sent to TEC nor display in your event windows but it will be kept in trapd.log so that you can gauge how many you are getting. You can also set the trapd to "Don't Log or Display" and this will keep it from the log as well, but then you'll have no way of knowing what's going on if start having a performance problem because too many of these traps are arriving. Cisco devices are highly configurable. You usually can configure just the traps you want and even the frequency that they are sent. Perhaps you should talk to your network guys about that and solve the problem at the source. Remember that getting a lot of unwanted traps isn't just a nuisance. It's a performance issue, not just for NetView, but for everyone else on the same subnet. That's their potential bandwidth you are eating and throwing away. As for your ruleset, I'm not sure what it is supposed to say. Greater than or less than the OID? Why not just "not equal to" ? But in any case you can tell exactly what ruleset you are running in two ways. If you are keeping an nvserverd.log, then the name will be in there, as will evidence of the reload. But whether you are or are not keeping the nvserverd.log, you can issue "nvcdebug -n" which will cause nvcorrd to write out in detail to his log what rulesets he is running. You can see the contents of the ruleset there. You can also debug this way by sending "nvcdebug -d all" and then observing what happens to each event as it is evaluated. Everything between the eyecatcher "Received a trap" and "Finished with the event" is nvcorrd processing that event. James Shanks Level 3 Support for Tivoli NetView for UNIX and Windows Network Availability Management Network Management - Development Tivoli Software, IBM Corp sean.lawrence@cantire.com sean.lawrence@cantire.com Sent by: nv-l-bounces@lists.ca.ibm.com 10/24/2006 08:13 AM Please respond to Tivoli NetView Discussions <nv-l@lists.ca.ibm.com> To Tivoli NetView Discussions <nv-l@lists.ca.ibm.com> cc Subject [NV-L] Ruleset Editing Questions I am trying to set up some rules to filter out traps coming for Ciscoworks. We are getting way to many now that the network guys have turned it on. Is there a way to simply drop traps that have not been defined in the trapd.conf? I do not want to keep them in Netview or forward them to TEC. On a side note I am having trouble setting up simple rules. I am receiving a trap from Ciscoworks with the OID of 1.3.6.1.4.1.9.1.502 I do not want this forwarded to TEC In the ruleset defined in tecint.conf I created an Event Attributes rule. It looks like this: Event Stream -> (EnterpriseOID <> 1.3.6.1.4.1.9.1.502) -> Forward I ran the nvtecia -reload command to reload the ruleset and I am still getting these forwarded. Is there something else required to load modified rulesets? Sean _______________________________________________ NV-L mailing list NV-L@lists.ca.ibm.com Unsubscribe:NV-L-leave@lists.ca.ibm.com http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only) *** eSafe scanned this email for malicious content *** *** IMPORTANT: Do not open attachments from unrecognized senders *** _______________________________________________ NV-L mailing list NV-L@lists.ca.ibm.com Unsubscribe:NV-L-leave@lists.ca.ibm.com http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only) _______________________________________________ NV-L mailing list NV-L@lists.ca.ibm.com Unsubscribe:NV-L-leave@lists.ca.ibm.com http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only) _______________________________________________ NV-L mailing list NV-L@lists.ca.ibm.com Unsubscribe:NV-L-leave@lists.ca.ibm.com http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only) _______________________________________________ NV-L mailing list NV-L@lists.ca.ibm.com Unsubscribe:NV-L-leave@lists.ca.ibm.com http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only) _______________________________________________ NV-L mailing list NV-L@lists.ca.ibm.com Unsubscribe:NV-L-leave@lists.ca.ibm.com http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only) _______________________________________________ NV-L mailing list NV-L@lists.ca.ibm.com Unsubscribe:NV-L-leave@lists.ca.ibm.com http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only)
_______________________________________________ NV-L mailing list NV-L@lists.ca.ibm.com Unsubscribe:NV-L-leave@lists.ca.ibm.com http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to internal IBM'ers only) |
sean.lawrence@cantire.com
