Ad Widget

Collapse

Configuring triggers for SNMP trap

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Cenzoooo
    Member
    • Jul 2015
    • 37
    #1

    Configuring triggers for SNMP trap

    Hello,

    I need help configuring triggers for snmp traps. I have configured external monitoring system to forward snmp traps to Zabbix. 1 snmp trap looks like:
    2019-03-11 10:12:11 2019-03-11 10:12:09 09:12:09 2019/03/11 PDU INFO:
    errorindex 0
    notificationtype TRAP
    community public
    messageid 0
    errorstatus 0
    version 1
    transactionid 9042
    receivedfrom UDP: [1.1.1.1]:52328->[2.2.2.2]:162
    requestid 1042
    VARBINDS: SNMPv2-MIB::sysUpTime.0 type=67 value=Timeticks: (443093323) 51 days, 6:48:53.23


    SNMPv2-MIB::snmpTrapOID.0 type=6 value=OID: SNMPv2-MIB::coldStart
    SNMPv2-MIB::snmpTrapEnterprise.0 type=4 value=STRING: "99999"
    XXX-MIB::alertID type=4 value=STRING: "430a40f2-6e05-41c5-aca3-f6981a2d10d4"
    XXX-MIB::alertName type=4 value=STRING: "MSSQL: Monitoring failed"
    XXX-MIB::alertDescription type=4 value=STRING: "Event ID: 4001. Management Group: XXX. Script: GetSQL2008SPNState.vbs. Version: 7.0.7.0 : The Query 'SELECT ProtocolName FROM ServerNetworkProtocol where Enabled = true and InstanceName = 'CITRIX_METAFRAME'' did not return any valid instances. Please check to see if this is a valid WMI Query.. The system cannot find the file specified. "
    XXX-MIB::severity type=4 value=STRING: "Critical"
    XXX-MIB::resolutionState type=4 value=STRING: "0"
    XXX-MIB::hostname type=4 value=STRING: "TEST123"
    Now, I would like to create trigger which with appropriate severity, host name and alertName. Also, when resolution state is 0 then there is a PROBLEM, when it is 255 it is cleared.
    Can anyone help me with that?
    Last edited by Cenzoooo; 12-03-2019, 18:11.
    Tags: None
    • Cenzoooo
      Member
      • Jul 2015
      • 37
      #2
      Hi guys! I have managed to do something and almost solved my problem!

      I created following trigger:

      Trigger expression: {Template SNMP Traps SCOM:snmptrap[].iregexp(""Critical"")}=1 and {Template SNMP Traps SCOM:snmptrap[].iregexp(STRING: "0")}=1
      Recovery expression: {Template SNMP Traps SCOM:snmptrap[].iregexp(""Critical"")}=1 and {Template SNMP Traps SCOM:snmptrap[].iregexp(STRING: "255")}=1
      Problem event generation mode: Multiple
      OK event closes: All problems if tag values match
      Tag for matching: ALERT ID

      Tags:
      ALERT ID: {{ITEM.VALUE}.regsub("(XXX-MIB::alertID.*STRING: (.*).*)", " \2 ")}
      HOSTNAME: {{ITEM.VALUE}.regsub("(XXX-MIB::hostname.*STRING: (.*).*)", " \2 ")}
      RESOLUTION STATE: {{ITEM.VALUE}.regsub("(XXX-MIB::resolutionState.*STRING: (.*).*)", " \2 ")}


      So, with tag correlation i managed to get problems per ALERT ID, and problem is supposed to clear if resolution state becomes 255.
      Only problem i have left is that other NMS which is sending traps to zabbix pushes new SNMP traps every 10 mins with same ALERT ID and RESOLUTION STATE, so basically same problem is creating every 10 mins.
      How can I avoid that and tell Zabbix that it needs to create only 1 problem for same ALERT ID?

        Comment

        • Cenzoooo
          Member
          • Jul 2015
          • 37
          #3
          I still did not find soulution for problem. I will explain, we integrated SCOM with Zabbix so SCOM is forwarding SNMP traps to Zabbix. I have created that 1 SNMP trap item and 3 triggers with severities warning/average/high. Item is like I mentioned with multiple event generation and OK events closes based by tag ALERT ID.
          Trigger is looking for severity and resoulution state only so basically every new SNMP trap is PROBLEM.

          Everything works good except SCOM has monitor and rules and rules are problem because rule is updating every 10-15mins until someone manually doesn't close it. So basically I get same trap every 10mins which generate same PROBLEM over and over again. Is there anything smarter I can do in expression to avid this?

          Best Regards

            Comment

            • gert.derouck
              Member
              • Jan 2020
              • 69
              #4
              HI, i have a very similar setup running.
              The way i make sure that i do not get a new alert every 10 minutes:
              SC Orchestrator with SCOM integration pack is the component between SCOM and Zabbix.
              I use 2 SCOR runbooks
              - Runbook for New Alerts: This runbook monitors SCOM for only new alerts and sends an SNMP trap to zabbix
              - Runbook for Closed Alerts: This runbook monitors SCOM for alert updates with resolution state 255 and sends an SNMP trap to zabbix

              By separating the new alerts and alert updates, i only get one trap in zabbix for a new alert; for closing i get often multiple traps (but that doesn't matter).

              And indeed as you described, use tag correlation (tag: scomalertID) to close alerts in zabbix.


              Note:
              additionally i have 2 more runbooks that update the alert in SCOM:
              - when someone closes the alert in zabbix -> close the alert in SCOM
              - when zabbix detects the new scom alert -> update the alert in SCOM with the zabbix event URL.
              Last edited by gert.derouck; 25-01-2020, 16:34.

                Comment

                Previous template Next
                Working...