Events

NINO uses a SNMP trapd proces to receive all traps. If a device sends a SNMP trap, then NINO will store this event into the database. In the status window a list of categories will be displayed with the severity level. In the event function the eventlog can be displayed. Also the device list and Node map will show the severity status per device.

SNMP Traps

NINO uses the trapd.conf file to define all possible events with the right severity level. This trapd.conf file can be downloaded from www.cisco.com or www.hp.com and is compatible with HP Openview. Additional event actions and event recovery definitions can be created into text files. In the NINO install procedure this files will be stored into the database. After installation the database is created and all NINO processes can be started. The event configuration can also be altered after installation using the NINO user interface. This includes event severity level, description, event action, sound alerts, event filters etc.

If a SNMP trap is received the next steps are taken:

The device sends a SNMP trap (1)
The trap receiver reads the trapd table to get event information like severity, description, actions (2)
The event is stored into the eventlog table (3)
The eventaction proces checks recovery and actions (4)
If an action is defined (e.g. high severity event) it performes the action, like sending a new trap or e-mail (5)

For network traffic monitoring the next steps are taken:

The node/device info is read from the database (1)
The SNMP data is requested and read from the device (2)
If the device down not respond, send a SNMP trap (3)

For device status monitoring the next steps are taken:

The node/device info is read from the database (1)
The status is requested from the device (2)
If the device down not respond, send a SNMP trap (3)

The diagram show the steps below:

Event Functions

NINO has several event functions available to display the events. The main functions will display the status (categories, devices and 3D Map) or the eventlog (eventlog/userlog, summary, SQL). If additional customizing of events is needed an event edit function is available in NINO. The next event functions are available:

Save SQL query for reporting
Acknowledge events
Auto event recovery using event corellation definitions
Customize events

Customize severity levels
Customize event recovery, event corellation
Add new events or delete events
Define event actions

SMS or e-mail notification
forward or send new trap
Count events and send trap on threshold
Check event recovery and send trap on exceeded time
Check event recovery and Count events and send trap on threshold/time

The event function

The event function is able to show the eventlog in many ways. Events can be filtered by category, user defined filters, severity or host. Also a search string can be enetered to view only events that match the search string. More advanced is the Summary and SQL option in Function. The Summary option will categorize all events by Host, EventOID, Event and count the number of events. The SQL option will enable SQL queries to be entered in the search field. This SQL queries will be fired upon the database, even beyond the eventlog table. So every kind of information can be customized. The example below shows the event function and the standard eventlog.

Events	Filter	Severity	Hosts	Function	Lines

Search:

Smart find

Basic

The default event filters can filter events per category. However it is also possible to create user defined filters. Press the Filter button to edit or create your own event filters. The filter can combine multiple severity levels and categories. User defined filters are stored as SQL query in the database (see also Save Query). In the example below the filter will only show high severity alerts on specific categories.

Events	Filter
Filter:
Apply:

Application Alert Alarms
Cisco Events
CiscoWorks Events
Configuration Alarms
Error Alarms
IGNORE
LOGONLY
Status Alarms
Threshold Alarms

To view the eventlog, press the GO button.

fa4-1.sttlwa2-cr1.bbnplanet.net

Minor

.1.3.6.1.6.3.1.1.5.3

Agent Interface Down (linkDown Trap) enterprise:fa4-1.sttlwa2-cr1.bbnplanet.net (fa4-1.sttlwa2-cr1.bbnplanet.net) on interface serial0

Agent Interface Down (linkDown Trap) enterprise:10.9.0.1 (10.9.0.1) on interface serial0

Incorrect Community Name (authenticationFailure Trap) enterprise:linux.local (linux.local) args(1):snmp write community

The next step is to store SQL queries into the database for re-use in reporting. Use the SaveQuery button and give the query a description in the screen below. SQL queries may be altered if needed. These queries can be used in the report function. In the report template editor the queries can be used with the HTML inline script functions. To delete unused queries, just use the checkboxes and the delte button to delete them.

SQL	Query
Description:
SQL Query:	SELECT eventlog.ID,eventlog.Date,eventlog.Host,trapd.Severity,eventlog.EventOID,eventlog.Event,eventlog.Ack FROM eventlog, trapd WHERE eventlog.trapdid = trapd.id ORDER BY Date DESC LIMIT 0, 10
Save:

Id	Delete	Description	SQL Query
2		justaquery	SELECT eventlog.ID,eventlog.Date,eventlog.Host,trapd.Severity,eventlog.EventOID,eventlog.Event,eventlog.Ack FROM eventlog, trapd WHERE eventlog.trapdid = trapd.id ORDER BY Date DESC LIMIT 0, 10

Sound alerts and colors

Severity colors and alert sounds can be linked to a severity level using the ADMIN - SEVERITY menu. Suppose that a Major event occurs, the corresponding sound will be played. Also the severity color will be displayed in the eventlog or status screen.

Customize Events

The buttons Edit and Categories are edit functions to customize event types, categroies, severity levels and event actions. To create or edit categories, press the categories button. The categories window will below. Click on the ID to edit a category or use the checkboxes to delete categories.

Id	Delete	Category
1		Application Alert Alarms
2		Cisco Events
3		CiscoWorks Events
4		Configuration Alarms
5		Error Alarms
6		IGNORE
7		LOGONLY

The event definitions can be sutomized using the Edit button. Follow the steps in the flowchart to edit the event definitions.

EVENTS MENU

CLICK EDIT BUTTON

SELECT EVENT

EDIT EVENT VALUES AND SELECT CATEGORY, SEVERITY AND ACTION

SUBMIT OR ADD NEW EVENT

SET ACTION PARAMETERS

Use the Edit button to customize event definitions. All possible events from the trapd table are displayed (see short example below). Click on the event ID to select an event.

Id	EventName	EventOID
1	RMON_Rise_Alarm	.1.3.6.1.2.1.16.0.1
2	RMON_Falling_Alarm	.1.3.6.1.2.1.16.0.2
3	RMON_Packet_Match	.1.3.6.1.2.1.16.0.3
4	EnterpriseDefault	.1.3.6.1.4.1.*
5	OV_Default	.1.3.6.1.4.1.11.2.17.1.*
6	OV_IF_Marginal	.1.3.6.1.4.1.11.2.17.1.0.40000000
7	OV_IF_IP_Addr_Chg	.1.3.6.1.4.1.11.2.17.1.0.40000001
8	OV_Network_SubMskChg	.1.3.6.1.4.1.11.2.17.1.0.40000002
9	OV_Connection_Up	.1.3.6.1.4.1.11.2.17.1.0.40000003
10	OV_Connection_Down	.1.3.6.1.4.1.11.2.17.1.0.40000004
11	OV_Connection_Marg	.1.3.6.1.4.1.11.2.17.1.0.40000005
12	OV_DataCollect_Check	.1.3.6.1.4.1.11.2.17.1.0.40000006
13	OV_IF_Disconnected_Segs	.1.3.6.1.4.1.11.2.17.1.0.40000007

The next screen can be used to edit the event definitions, such as Severity, Category, Action and the textfields to edit the name, description, OID and Recovery OID. Use the Submit button to update the event definitions or the New button to create a new event. The Delete button deletes the event.

The recovery OID is used in the eventaction proces to auto-acknowledge this event if a recovery event occurs. An example is the LinkDown and LinkUp trap. If an interface goes down, a LinkDown trap is send. The recovery OID is the LinkUp OID, so the LinkDown event is auto-recovered when a LinkUp trap is received.

The Nodes field is empty by default, so traps of all nodes are stored into the eventlog. Fill in the nodes field if specific actions or definitions are required for a node/device. An event may be duplicated to respond in a different way on several nodes, e.g. a serial link down on a router can be Major severity, but a link down on a hub with PC's can be normal severity. Also event actions may be different on several nodes.

The next event actions are available:

mail send an e-mail notification when the event is received. If you want to receive a SMS, there are also e-mail to SMS services available on the internet.
forward send a new trap or forward a trap to another network management host when the event is received.
count count the events in a time window and send a trap if a threshold value is exceeded
command execute a script when the event is received. This can be used for corrective actions or notifying other applications
no recovery check if the event is recovered in a time window and send a trap if the maximum time is exceeded
count or no recovery count the events in a time window and send a trap if a threshold value is exceeded and check if the event is recovered in a time window and send a trap if the maximum time is exceeded

It is also possible to link several event actions. An example is to check an non recovered event in a time window, this will send a new trap. The next step is to define a SMS or e-mail notification on this new trap. This could be a LinkDown trap of a FrameRelay connection with e-mail notification. The simple solution is to configure an e-mail notification on a LinkDown event. But what should you do if the link just has a dip for one second and the link recoveres without any problems ? In most cases a network administrator only wants to have a notification (or SMS in the middle of the night...) if the link is really down and not for a minor dip of one or two seconds. The LinkDown events are logged in the eventlog, so the information is never lost. Example flowchart:

EVENT A IS RECEIVED

WAIT 5 MINUTES UNTIL EVENT IS RECOVERED

EVENT A NOT RECOVERED IN 5 MINUTES

SEND TRAP B, BECASUE A IS NOT RECOVERED

EVENT B IS RECEIVED

SEND MAIL TO ADMINISTRATOR

All event configuration input windows are displayed below with an OSPF event as example.

Event 7	ospfNbrStateChange
EventName:
EventOID:
RecoveryOID:
Nodes:
Format description:	ospfNbrStateChange trap received from enterprise $E

Severity	Category	Action	Change	New	Delete

The e-mail notification properties can be filled in here:

Event 7	ospfNbrStateChange
EventOID:	.1.3.6.1.2.1.14.16.2.2
Format description:	ospfNbrStateChange trap received from enterprise $E
Category:	LOGONLY
Severity:	Normal
Action:	mail
Send e-mail to:
Apply:

The forward trap action properties can be filled in here:

Event 7	ospfNbrStateChange
EventOID:	.1.3.6.1.2.1.14.16.2.2
Format description:	ospfNbrStateChange trap received from enterprise $E
Category:	LOGONLY
Severity:	Minor
Action:	forward
SNMP trap OID:
SNMP trap specific:
Apply:

The command properties can be filled in here:

The count action properties can be filled in here:

Event 7	ospfNbrStateChange
EventOID:	.1.3.6.1.2.1.14.16.2.2
Format description:	ospfNbrStateChange trap received from enterprise $E
Category:	LOGONLY
Severity:	Minor
Action:	count
Timewindow (minutes):
Count events:
SNMP trap OID:
SNMP trap specific:
Apply:

The no_recovery action properties can be filled in here:

Event 7	ospfNbrStateChange
EventOID:	.1.3.6.1.2.1.14.16.2.2
Format description:	ospfNbrStateChange trap received from enterprise $E
Category:	LOGONLY
Severity:	Minor
Action:	no_recovery
Timewindow (minutes):
SNMP trap OID:
SNMP trap specific:
Apply:

The count_or_no_recovery action properties can be filled in here:

Event 7	ospfNbrStateChange
EventOID:	.1.3.6.1.2.1.14.16.2.2
Format description:	ospfNbrStateChange trap received from enterprise $E
Category:	LOGONLY
Severity:	Minor
Action:	count_or_no_recovery
Timewindow (minutes):
Count events:
SNMP trap OID:
SNMP trap specific:
Apply:

Top