Transforming events with event mappings
To modify events as they arrive, create an event map through the user interface:
- Create an event class.
- Go to the event console and create an event mapping in this class from the existing event.
- Edit the map.
-
In the Transform area, update the event with detail data. The entry field allows you to insert Python scripts. The event is provided as "evt" and the device as "device." In this case, extract the sysLocation event detail and make it the summary with:
evt.summary = evt.sysLocation -
Save the event mapping.
If you move the event to the event archive and resend the trap, the summary for the trap should now read the device name in the location you assigned.
If you encounter problems with the transform, check the zentrap.log and zeneventd.log files for errors that occurred.
Configuring varbind handling
The zentrap service supports 3 copy modes for SNMP varbinds. A varbind (variable binding) is the combination of an object identifier (OID) and a value or value-and-type.
| Mode | Description |
|---|---|
| 0 | Varbinds are copied into events as one field, per RFC convention. |
| 1 | Varbinds are copied into events as several fields and a sequence field is added. |
| 2 | Mixed mode (default).
|
The varbind copy mode is set in the zentrap.conf file of
each zentrap service in your deployment. To change the default, open
the file, uncomment the varbindCopyMode variable, and then modify its
value.
Example
For example, assume that a trap sends the following varbinds:
| OID | Value |
|---|---|
| someVar.0 | Data0 |
| someVar.1 | Data1 |
For copy mode 0, the resulting event fields would be as follows:
| OID | Value |
|---|---|
| someVar | Data0,Data1 |
| someVar.ifIndex | 0,1 |
For copy mode 1, the resulting event fields would be as follows:
| OID | Value |
|---|---|
| someVar.0 | Data0 |
| someVar.1 | Data1 |
| someVar.sequence | 0,1 |
For more information about using copy mode 1, see Mapping SNMP variables to events.
Mapping SNMP variables to events
Use the information on this page when the zentrap service is configured for varbind copy mode 1. For more information, see Configuring varbind handling.
Some SNMP traps can include
variables (varbind objects), which are ordered implicitly. The ordering
requirement takes the form of Name.Number—like someVar.0—and in
many cases there will be a series of varbind objects with different
numbers on the same name. The following tables provide an example
variable and varbind objects.
| OID | Value |
|---|---|
| 1.2.1.1.3.0 | Message0 |
| 1.2.1.1.3.1 | Message1 |
Assuming a MIB (imported into Resource
Manager) specifies the
name someVar (1.2.1.1.3)
then the event details would be as follows:
| Name | Value |
|---|---|
| someVar.0 | Message0 |
| someVar.1 | Message1 |
| someVar.sequence | 0,1 |
The following tables illustrate how the implicit ordering is encoded in event details.
Example trap with an SNMP varbind object
| OID | Value |
|---|---|
| 1.3.6.1.2.1.2.2.1.1.143 | 143 |
| 1.3.6.1.2.1.2.2.1.7.143 | 1 |
| 1.3.6.1.2.1.2.2.1.8.143 | 1 |
| 1.3.6.1.2.1.2.2.1.2.143 | "F23" |
| 1.3.6.1.2.1.31.1.1.1.18.143 | "" |
Event details for example trap
| Name | Value |
|---|---|
| ifIndex.143 | 143 |
| ifIndex.sequence | 143 |
| ifAdminStatus.143 | 1 |
| ifAdminStatus.sequence | 143 |
| ifOperStatus.143 | 1 |
| ifOperStatus.sequence | 143 |
| ifDescr.143 | F23 |
| ifDescr.sequence | 143 |
| ifAlias.143 | |
| ifAlias.sequence | 143 |
The event details are repetitive, but an event transform can parse and process sequenced varbind objects.
For example, the following event transform concatenates
the someVar parts into the event's summary attribute:
seq = getattr(evt, "someVar.sequence", None)
if seq is not None:
values = []
for idx in str(seq).split(','):
value = getattr(evt, "someVar." + idx, '')
values.append(value)
evt.summary = ' '.join(values)
Event transforms based on event class
When an event arrives in the system, you can change values (such as severity). For example, you can make the summary more informative, or change severity according to text within the summary.
Each event class allows for a short Python script to be executed when an event arrives.
For example, a user may want full file system threshold events on /data to be critical. Add the following Python script in the Threshold Transform of /Events/Perf/Filesystem:
if evt.component == '/data' and evt.severity != 0: evt.severity = 5
Like event mappings for event class keys, the "evt," "device," and "component" objects are available in the script of the transform. See the event class transform page for more information.
