we’re having a problem with alerts being generated from snmp traps we receive. We use the NMS mostly for network device supervision (Cisco primarily) and the first issue is we’re getting multiple event ID’s in alerts from traps, which is a result of these lines in alert templates:
#%key: %value.string
Port: %value.ifName
Port Name: %value.ifAlias
Second issue is that snmp trap gets recovered in five minutes, which is our refresh interval for alerts.
We’ve tried %eventlog.message ~ “Interface went Down” && %macros.port_now_down = “1” and also *eventlog.type = “trap” AND eventlog.message LIKE ‘%linkDown%’ AND macros.port_now_down = 1 but in each case we get a false recovery.
The version is 1.43-141-g7c45cd5f6 - Tue Oct 09 2018 13:21:34 GMT+0200.
The goal is to be notified of events for port down immediately and that’s why I want to use traps. It will be seen by our first level support in the eventlog, which is great, but my main issue is that an alert generated from that trap closes itself without the issue being solved… and that’s why I asked for help
As I understand, the solution is to just use separate macro.port_now_down for an alert rule and avoid generating it from the eventlog?
Default Port status up/down rule will check for macros.port_down, which is what the trap set.
If using traps and default rule for Port status, with the correct delay (minimum 1min without cheating the alerts.php) you will get notified with the correct data in template.
You will not get notified sooner for using the eventlog as source for the alert.
Do not mix the port check and the eventlog check if you want to see if it went down at all (not if it is down now and it went down within the last x minutes)
Make sure you set the correct and/or settings as shown in the image. This will alert if there was a trap in the last 5 minutes or the port is down as per polling (if the previous state was up).
Don’t forget that the alert data is only generated on a poll though so no matter what happens with a trap, it will still take up to the 5 minutes for an alert to even be possible to send the actual alert to a transport.
No, alerts.php will only send to transports for an active alert. An active alert only occurs when the rules are run against the device. So as the traps (I assume) don’t process the rules then an alert will not be raised.