How to filter event messages

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

How to filter event messages

indon.bae
I have two network segments.
One is 10.150.x.x (production) and the other is 192.168.x.x (office).
These two network are separated via Cisco ASA FireWall (192.168.5.252), and OpenNMS (192.168.5.160) is installed in office environment.
Since I turn cisco traps on debug level (logging trap debugging) in FW, the FW generates lots of log messages.
 
I am currently using OpenNMS to monitor our production network.
Although I configured OpenNMS to discover nodes in only 10.186.x.x network as listed below, I am getting lots of event message from the FW (192.68.5.252).
 
<discovery-configuration threads="1" packets-per-second="1"
        initial-sleep-time="30000" restart-sleep-time="86400000"
        retries="1" timeout="2000">
        <include-range>
                <begin>10.186.0.1</begin>
                <end>10.186.255.254</end>
        </include-range>
 
Due to these event messages from the FW, my events table in OpenNMS becomes very large and I occasionally have to manually delete the records from the table using SQL DELETE command.  It is very cumbersome.
 
How can I block or filter out unwanted event message coming from FW to OpenNMS (without changing cisco trap level in FW)?
Your help will be greatly appreciated.
 
I am using OpenNMS v1.3.7 under Fedora Core 6.

--
In Don Bae

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss
Reply | Threaded
Open this post in threaded view
|

Re: How to filter event messages

Jeff Gehlbach
On Aug 28, 2008, at 12:20 PM, [hidden email] wrote:

> How can I block or filter out unwanted event message coming from FW  
> to OpenNMS (without changing cisco trap level in FW)?

If you don't care about any firewall traps in openNMS, then you can  
just remove the openNMS server from the list of trap destinations ("no  
snmp-server host 192.168.5.160").

If you want openNMS to ignore certain types of traps, then you can  
edit the event files in which the definitions for those traps are  
contained.  One such file is /opt/opennms/etc/events/Cisco.events.xml,  
but Cisco devices may also send IETF traps whose event definitions are  
in other files in that same directory.  To tell openNMS to discard a  
given type of trap, locate the corresponding event definition in the  
correct file and change the "dest" attribute of its <logmsg> child  
element to "discardtraps".  Example:

<logmsg dest='logndisplay'>

Becomes:

<logmsg dest='discardtraps'>

You can get a list of the most common trap types received from your  
ASA by running the following SQL query:

SELECT eventuei, COUNT(eventid) AS tally FROM events WHERE ipaddr =  
'192.168.5.252' GROUP BY eventuei ORDER BY tally DESC;

Note that if the ASA is configured to send traps from a different  
interface, such as a loopback interface ("snmp-server trap-source  
Loopback 0") then you will need to substitute the IP address of that  
interface in the query above.

-jeff

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss
Reply | Threaded
Open this post in threaded view
|

Re: How to filter event messages

indon.bae
Hi Jeff,
 
Thank you very, very much for your help.
I'll try to configure Cisco.events.xml file to ignore trap type - "uei.opennms.org/vendor/Cisco/traps/clogMessageGenerated-Info"
Thanks, again.

On Thu, Aug 28, 2008 at 11:29 AM, Jeff Gehlbach <[hidden email]> wrote:
On Aug 28, 2008, at 12:20 PM, [hidden email] wrote:

> How can I block or filter out unwanted event message coming from FW
> to OpenNMS (without changing cisco trap level in FW)?

If you don't care about any firewall traps in openNMS, then you can
just remove the openNMS server from the list of trap destinations ("no
snmp-server host 192.168.5.160").

If you want openNMS to ignore certain types of traps, then you can
edit the event files in which the definitions for those traps are
contained.  One such file is /opt/opennms/etc/events/Cisco.events.xml,
but Cisco devices may also send IETF traps whose event definitions are
in other files in that same directory.  To tell openNMS to discard a
given type of trap, locate the corresponding event definition in the
correct file and change the "dest" attribute of its <logmsg> child
element to "discardtraps".  Example:

<logmsg dest='logndisplay'>

Becomes:

<logmsg dest='discardtraps'>

You can get a list of the most common trap types received from your
ASA by running the following SQL query:

SELECT eventuei, COUNT(eventid) AS tally FROM events WHERE ipaddr =
'192.168.5.252' GROUP BY eventuei ORDER BY tally DESC;

Note that if the ASA is configured to send traps from a different
interface, such as a loopback interface ("snmp-server trap-source
Loopback 0") then you will need to substitute the IP address of that
interface in the query above.

-jeff

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss



--
In Don Bae

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss
Reply | Threaded
Open this post in threaded view
|

Re: How to filter event messages

Jeff Gehlbach
On Aug 28, 2008, at 2:53 PM, [hidden email] wrote:

> I'll try to configure Cisco.events.xml file to ignore trap type -  
> "uei.opennms.org/vendor/Cisco/traps/clogMessageGenerated-Info"

Ooh, that's a favorite trap ;)

Actually, all the "clogMessageGenerated-*" traps are normally fairly  
useless, since they are just an SNMP trap wrapped around a syslog  
message.  If your Cisco devices are configured properly ("snmp-server  
enable traps XXX"), you'll receive a specific SNMP trap describing the  
same situation, making the "clogMessage" trap redundant.

-jeff

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Please read the OpenNMS Mailing List FAQ:
http://www.opennms.org/index.php/Mailing_List_FAQ

opennms-discuss mailing list

To *unsubscribe* or change your subscription options, see the bottom of this page:
https://lists.sourceforge.net/lists/listinfo/opennms-discuss