nv-l
[Top] [All Lists]

Re: [NV-L] Ruleset Editing Questions

To: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Subject: Re: [NV-L] Ruleset Editing Questions
From: sean.lawrence@cantire.com
Date: Wed, 25 Oct 2006 12:59:48 -0400
Delivery-date: Wed, 25 Oct 2006 18:07:16 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
List-help: <mailto:nv-l-request@lists.ca.ibm.com?subject=help>
List-id: Tivoli NetView Discussions <nv-l.lists.ca.ibm.com>
List-post: <mailto:nv-l@lists.ca.ibm.com>
List-subscribe: <http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=subscribe>
List-unsubscribe: <http://lists.ca.ibm.com/mailman/listinfo/nv-l>, <mailto:nv-l-request@lists.ca.ibm.com?subject=unsubscribe>
Reply-to: Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
Sender: nv-l-bounces@lists.ca.ibm.com
Well, I got this working.

I am not seeing this behaviour.

"Note that if you change your TEC ruleset after nvserverd is started, then 
you must restart him or reload with nvtecia."

I was using  nvtecia -reload. If I used the ruleset in a new event view I 
would see my changes. It was not until I restarted netview that the events 
stopped forwarding to TEC. I assume that a restart of nvserverd is 
required for it to pick up the ruleset changes.


Sean Lawrence
Systems Automation
Ext 5728




James Shanks <jshanks@us.ibm.com>
Sent by: nv-l-bounces@lists.ca.ibm.com
10/24/2006 12:00 PM
Please respond to Tivoli NetView Discussions

 
        To:     Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
        cc: 
        Subject:        Re: [NV-L] Ruleset Editing Questions


No way. cat your ruleset again. If the nvcorrd.alog trace shows a leading 
dot, then that's what is in the ruleset he loaded. And that's what the 
nvcorrd trace you posted shows

Note that if you change your TEC ruleset after nvserverd is started, then 
you must restart him or reload with nvtecia. 



James Shanks
Level 3 Support for Tivoli NetView for UNIX and Windows
Network Availability Management
Network Management - Development
Tivoli Software, IBM Corp
sean.lawrence@cantire.com


sean.lawrence@cantire.com 
Sent by: nv-l-bounces@lists.ca.ibm.com 
10/24/2006 11:48 AM 

Please respond to
Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>




To

Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>

cc


Subject

Re: [NV-L] Ruleset Editing Questions





My config is correct in the rules editor. But the output of nvcdebug -n is 

different. 

Looks like the Cisco guys might have solved our flooding problem. 

I still want to get this working for my own sanity though.

Sean Lawrence
Systems Automation
Ext 5728




Greg Keetch <gkeetch@ca.ibm.com>
Sent by: nv-l-bounces@lists.ca.ibm.com
10/24/2006 11:27 AM
Please respond to Tivoli NetView Discussions


       To:     Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
       cc: 
       Subject:        Re: [NV-L] Ruleset Editing Questions


I saw in another response from you that you removed the leading '.' from
the enterprise ID in your ruleset... This output shows that it's still
there. Has there been any change since you removed it?

Regards,
Greg Keetch
IT Specialist (Advisor), Network Services
Network Management Tools Specialist
Information Technology Services Americas (ITSA), Global Services, IBM
Canada




            sean.lawrence@can 
            tire.com 
            Sent by:                                                   To 

            nv-l-bounces@list         Tivoli NetView Discussions 
            s.ca.ibm.com              <nv-l@lists.ca.ibm.com> 
                                                                       cc 


            10/24/2006 08:09                                      Subject 

            AM                        Re: [NV-L] Ruleset Editing 
                                      Questions 

            Please respond to 
             Tivoli NetView 
               Discussions 
            <nv-l@lists.ca.ib 
                 m.com> 






Ok maybe someone can explain what I am seeing here. Why am I still getting
a 1.3.6.1.4.1.9.1.400 trap forwarded to TEC?

2006/24/10 09:46:38   CorrelationDef.C[562] :   Current running
correlation:
CorrelationDefinition(0x30033b08)
+  RootDnode
+  +  RuleSet forwardall.rs
+  +  +  Forward(19) Corrnode application=0x303d2888
+  +  RuleSet test.rs
+  +  +  EventAttributes (Attr='EnterpriseID'  ne
Value='.1.3.6.1.4.1.9.1.400')
+  +  +  +  EventAttributes (Attr='Origin'  ne  Value='42.231.8.3')
+  +  +  +  +  EventAttributes (Attr='Origin'  ne  Value='42.2.1.12')
+  +  +  +  +  +  EventAttributes (Attr='Origin'  ne  Value='42.2.1.13')
+  +  +  +  +  +  +  EventAttributes (Attr='Origin'  ne  Value='0.0.0.0')
+  +  +  +  +  +  +  +  Forward(130) Corrnode application=0x30062d18

2006/24/10 10:35:24    .//nl_nvcorrd.C[634] :   ===> Received a Trap
2006/24/10 10:35:24        EventData.C[110] :
Attr(EnterpriseID='(char,1.3.6.1.4.1.9.1.400)')
2006/24/10 10:35:24        EventData.C[121] : Attr(Generic='(ulong,2)')
2006/24/10 10:35:24        EventData.C[128] :           Attr(Specific='0')
2006/24/10 10:35:24        EventData.C[233] :   Received event CID(60206)
sysOID(1.3.6.1.4.1.9.1.400) Gen(2) Spec(0)
2006/24/10 10:35:24    .//nl_nvcorrd.C[721] :   ===> Processing Event
=========================== 1 of 1
                                                Event CID(60206) 10:35:24
Attr(EnterpriseID='(char,1.3.6.1.4.1.9.1.400)')
Attr(Generic='(ulong,2)')
                                                     Attr(Specific='0')
2006/24/10 10:35:24       BaseDnodes.C[598] :
RootDnode::resolveRootDnode() = TRUE
2006/24/10 10:35:24       BaseDnodes.C[699] :   RuleSet::resolve()
RuleSetName =forwardall.rs
2006/24/10 10:35:24       CorrDnodes.C[1111] :  Forward::resolve()
queueing event for forwaring:Event(CID(60206), Attr(E
2006/24/10 10:35:24       BaseDnodes.C[699] :   RuleSet::resolve()
RuleSetName =test.rs
2006/24/10 10:35:24   EventAttrDnode.C[101] :
EventAttributes::resolve(EventAttrDnode(Attr:EnterpriseID ne .1.3.6.1.4.
2006/24/10 10:35:24        EventData.C[121] :
Attr(Origin='(ulong,711727166)')
2006/24/10 10:35:24        EventData.C[121] :
Attr(sysUpTime='(ulong,3730356673)')
2006/24/10 10:35:24        EventData.C[110] :
Attr(Community='(char,public)')
2006/24/10 10:35:24        EventData.C[669] :    Event CID=CID(60206)
Attributes
2006/24/10 10:35:24        EventData.C[670] :   agentAddress=711727166
sysUpTime=3730356673 Community=public
2006/24/10 10:35:24        EventData.C[110] : Attr(1='(char,64)')
2006/24/10 10:35:24        EventData.C[110] :
Attr(2='(char,GigabitEthernet10/10)')
2006/24/10 10:35:24        EventData.C[110] :           Attr(3='(char,6)')
2006/24/10 10:35:24        EventData.C[110] :           Attr(4='(char,Lost
Carrier)')
2006/24/10 10:35:24        EventData.C[121] : Attr(Category='(ulong,3)')
2006/24/10 10:35:24        EventData.C[110] : Attr(Source='(char,A)')
2006/24/10 10:35:24        EventData.C[121] : Attr(Severity='(ulong,1)')
2006/24/10 10:35:24   EventAttrDnode.C[101] :
EventAttributes::resolve(EventAttrDnode(Attr:Origin ne 42.231.8.3)) = TR
2006/24/10 10:35:24   EventAttrDnode.C[101] :
EventAttributes::resolve(EventAttrDnode(Attr:Origin ne 42.2.1.12)) = TRU
2006/24/10 10:35:24   EventAttrDnode.C[101] :
EventAttributes::resolve(EventAttrDnode(Attr:Origin ne 42.2.1.13)) = TRU
2006/24/10 10:35:24   EventAttrDnode.C[101] :
EventAttributes::resolve(EventAttrDnode(Attr:Origin ne 0.0.0.0)) = TRUE
2006/24/10 10:35:24       CorrDnodes.C[1111] :  Forward::resolve()
queueing event for forwaring:Event(CID(60206), Attr(E
2006/24/10 10:35:24   EventAttrDnode.C[105] :
EventAttributes::resolve(EventAttrDnode(Attr:EnterpriseID eq 1.3.6.1.4.1
2006/24/10 10:35:24   EventAttrDnode.C[105] :
EventAttributes::resolve(EventAttrDnode(Attr:EnterpriseID eq 1.3.6.1.4.1
2006/24/10 10:35:24       CorrDnodes.C[230] :   ===> Processing actions
for forwardall.rs
2006/24/10 10:35:24       CorrDnodes.C[772] :   combining Action with
empty ForwardCorrAction
2006/24/10 10:35:24       CorrDnodes.C[391] :    Forward notification to
appl(86080, forwardall.rs, Active) CID(60206) S
2006/24/10 10:35:24       CorrDnodes.C[419] :   forwarding EventInst:
                                            Event CID(60206) 10:35:24
Attr(EnterpriseID='(char,1.3.6.1.4.1.9.1.400)')
Attr(Generic='(ulong,2)')
                                                 Attr(Specific='0')
Attr(Origin='(ulong,711727166)')
Attr(sysUpTime='(ulong,3730356673)')
Attr(Community='(char,public)')
                                                 Attr(1='(char,64)')
Attr(2='(char,GigabitEthernet10/10)')
                                                 Attr(3='(char,6)')
                                                 Attr(4='(char,Lost
Carrier)')
Attr(Category='(ulong,3)')
                                                 Attr(Source='(char,A)')
Attr(Severity='(ulong,1)')
2006/24/10 10:35:24       CorrDnodes.C[524] :   Forwarding buffer.
cid=60206 length=148 buffer=0x304104d8
2006/24/10 10:35:24       CorrDnodes.C[526] :           severity=99
status=99 causingCID=0 causedCID=0 primeTime=0
2006/24/10 10:35:24       CorrDnodes.C[277] :   ===> Completed actions for
forwardall.rs forwards=1 overrides=0 resolves
2006/24/10 10:35:24       CorrDnodes.C[230] :   ===> Processing actions
for test.rs
2006/24/10 10:35:24       CorrDnodes.C[772] :   combining Action with
empty ForwardCorrAction
2006/24/10 10:35:24       CorrDnodes.C[391] :    Forward notification to
appl(86080, test.rs, Active) CID(60206) SEV(99)
2006/24/10 10:35:24       CorrDnodes.C[419] :   forwarding EventInst:
                                            Event CID(60206) 10:35:24
Attr(EnterpriseID='(char,1.3.6.1.4.1.9.1.400)')
Attr(Generic='(ulong,2)')
                                                 Attr(Specific='0')
Attr(Origin='(ulong,711727166)')
Attr(sysUpTime='(ulong,3730356673)')
Attr(Community='(char,public)')
                                                 Attr(1='(char,64)')
Attr(2='(char,GigabitEthernet10/10)')
                                                 Attr(3='(char,6)')
                                                 Attr(4='(char,Lost
Carrier)')
Attr(Category='(ulong,3)')
                                                 Attr(Source='(char,A)')
Attr(Severity='(ulong,1)')
2006/24/10 10:35:24       CorrDnodes.C[524] :   Forwarding buffer.
cid=60206 length=148 buffer=0x304104d8
2006/24/10 10:35:24       CorrDnodes.C[526] :           severity=99
status=99 causingCID=0 causedCID=0 primeTime=0
2006/24/10 10:35:24       CorrDnodes.C[277] :   ===> Completed actions for
test.rs forwards=1 overrides=0 resolves=0
2006/24/10 10:35:24    .//nl_nvcorrd.C[745] :   ===> Finished with the
trap ====================================

Sean Lawrence
Systems Automation
Ext 5728




Greg Keetch <gkeetch@ca.ibm.com>
Sent by: nv-l-bounces@lists.ca.ibm.com
10/24/2006 10:25 AM
Please respond to Tivoli NetView Discussions


       To:     Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
       cc:
       Subject:        Re: [NV-L] Ruleset Editing Questions


Hello,

The forwardall.rs ruleset is used be default in the Event Display, so this
is where it is probably getting loaded. There is no relationship between
the rulesets that are used by ESE.automation, Event Display, or TEC
forwarding using tecint.conf. Each one has it's own destination for
forwarding events to, so the forwardall.rs in the Event Display will not
override what the ruleset in tecint.conf for TEC forwarding.

Regards,
Greg Keetch
IT Specialist (Advisor), Network Services
Network Management Tools Specialist
Information Technology Services Americas (ITSA), Global Services, IBM
Canada




            sean.lawrence@can
            tire.com
            Sent by:                                                   To

            nv-l-bounces@list         Tivoli NetView Discussions
            s.ca.ibm.com              <nv-l@lists.ca.ibm.com>
                                                                       cc


            10/24/2006 06:56                                      Subject

            AM                        Re: [NV-L] Ruleset Editing
                                      Questions

            Please respond to
             Tivoli NetView
               Discussions
            <nv-l@lists.ca.ib
                 m.com>






Ok I ran the "nvcdebug -n" command. The output is as follows

2006/24/10 09:46:38   CorrelationDef.C[562] :   Current running
correlation:
CorrelationDefinition(0x30033b08)
+  RootDnode
+  +  RuleSet forwardall.rs
+  +  +  Forward(19) Corrnode application=0x303d2888
+  +  RuleSet test.rs
+  +  +  EventAttributes (Attr='EnterpriseID'  ne
Value='.1.3.6.1.4.1.9.1.502')
+  +  +  +  EventAttributes (Attr='Origin'  ne  Value='42.231.8.3')
+  +  +  +  +  EventAttributes (Attr='Origin'  ne  Value='42.2.1.12')
+  +  +  +  +  +  EventAttributes (Attr='Origin'  ne  Value='42.2.1.13')
+  +  +  +  +  +  +  EventAttributes (Attr='Origin'  ne  Value='0.0.0.0')
+  +  +  +  +  +  +  +  Forward(130) Corrnode application=0x30062d18

I do not know why the forwardall.rs is being loaded. The ESE.automation
file is as follows

#This file should contain a list of filenames
#that will be autmatically started by actionsvr.
#Each rule set name is on a separate line; the pund sign
#indicates a comment line.
#An example line, with the name commented out) is below:
#your_ruleset_here.rs

Am I correct in assuming that the forwardall.rs is forwarding everything
before the test.rs even gets a look at it?



Sean Lawrence
Systems Automation
Ext 5728




James Shanks <jshanks@us.ibm.com>
Sent by: nv-l-bounces@lists.ca.ibm.com
10/24/2006 09:16 AM
Please respond to Tivoli NetView Discussions


       To:     Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>
       cc:
       Subject:        Re: [NV-L] Ruleset Editing Questions


If you use xnmtrap and set the trap to "Log Only" It will not be sent to
TEC nor display in your event windows but it will be kept in trapd.log so
that you can gauge how many you are getting. You can also set the trapd to
"Don't Log or Display" and this will keep it from the log as well, but
then you'll have no way of knowing what's going on if start having a
performance problem because too many of these traps are arriving.

Cisco devices are highly configurable. You usually can configure just the
traps you want and even the frequency that they are sent. Perhaps you
should talk to your network guys about that and solve the problem at the
source. Remember that getting a lot of unwanted traps isn't just a
nuisance. It's a performance issue, not just for NetView, but for everyone
else on the same subnet. That's their potential bandwidth you are eating
and throwing away.

As for your ruleset, I'm not sure what it is supposed to say. Greater than
or less than the OID? Why not just "not equal to" ?

But in any case you can tell exactly what ruleset you are running in two
ways. If you are keeping an nvserverd.log, then the name will be in there,
as will evidence of the reload. But whether you are or are not keeping the
nvserverd.log, you can issue "nvcdebug -n" which will cause nvcorrd to
write out in detail to his log what rulesets he is running. You can see
the contents of the ruleset there. You can also debug this way by sending
"nvcdebug -d all" and then observing what happens to each event as it is
evaluated. Everything between the eyecatcher "Received a trap" and
"Finished with the event" is nvcorrd processing that event.

James Shanks
Level 3 Support for Tivoli NetView for UNIX and Windows
Network Availability Management
Network Management - Development
Tivoli Software, IBM Corp
sean.lawrence@cantire.com


sean.lawrence@cantire.com
Sent by: nv-l-bounces@lists.ca.ibm.com
10/24/2006 08:13 AM

Please respond to
Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>




To

Tivoli NetView Discussions <nv-l@lists.ca.ibm.com>

cc


Subject

[NV-L] Ruleset Editing Questions





I am trying to set up some rules to filter out traps coming for
Ciscoworks. We are getting way to many now that the network guys have
turned it on.

Is there a way to simply drop traps that have not been defined in the
trapd.conf? I do not want to keep them in Netview or forward them to TEC.

On a side note I am having trouble setting up simple rules.

I am receiving a trap from Ciscoworks with the OID of 1.3.6.1.4.1.9.1.502
I do not want this forwarded to TEC

In the ruleset defined in tecint.conf I created an Event Attributes rule.
It looks like this:

Event Stream -> (EnterpriseOID <>  1.3.6.1.4.1.9.1.502) -> Forward

I ran the nvtecia -reload command to reload the ruleset and I am still
getting these forwarded. Is there something else required to load modified

rulesets?

Sean
_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)


*** eSafe scanned this email for malicious content ***
*** IMPORTANT: Do not open attachments from unrecognized senders  ***
_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)



_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)


_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)



_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to
internal IBM'ers only)


_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to 
internal IBM'ers only)



_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to 
internal IBM'ers only)


*** eSafe scanned this email for malicious content ***
*** IMPORTANT: Do not open attachments from unrecognized senders  ***
_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to 
internal IBM'ers only)



_______________________________________________
NV-L mailing list
NV-L@lists.ca.ibm.com
Unsubscribe:NV-L-leave@lists.ca.ibm.com
http://lists.ca.ibm.com/mailman/listinfo/nv-l (Browser access limited to 
internal IBM'ers only)

<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web