IBM Tivoli/Netcool Rules

termite · Post by **termite** » Tue Sep 22, 2009 11:25 am

Does anyone know how to feed data into IBM Tivoli / Netcool ObjectServer. If not, does anyone have a rulesfiles that will work with the ObjectServer. Thank you in advance.

Post by **TheWitness** » Wed Sep 23, 2009 9:07 pm

Lot's of "fancy" acronyms that mean nothing to a Cacti Forum.

TheWitness

termite · Post by **termite** » Mon Oct 05, 2009 8:12 am

I am looking to see if Cacti have the ability to send traps to other NMS systems such as Nerve Center or Netcool/IBM Tivoli.

Howie · Post by **Howie** » Mon Oct 05, 2009 8:53 am

Cacti by itself doesn't really generate events (about the network). Some of the plugins (like Thold and Manage) do... they send mails. If ObjectServer can take those in, then you are set.

If it can't, then frankly I'd be asking for my $50000 back.

Edit: Looks like "IBM Tivoli Netcool/OMNIbus E-mail Probe" would do that.

mrnoodle · Post by **mrnoodle** » Mon Oct 05, 2009 12:07 pm

We have a number of Cacti servers that are sending alerts to a central Netcool server by using the syslog feature in the Thold plugin. Once the messages are sent to the local syslog, it is a simple change to make the Cacti system send them to the remote Netcool server for further processing.

We found the syslog feature was far easier than trying to process emails.

peecee · Post by **peecee** » Tue Oct 06, 2009 9:39 am

We're doing the same - using syslog.

I had it working with traps as well, but syslog is far more capable in dealing with the level of detail I need. Plus, I didn't feel like writing a MIB. I know I didn't need to, but I like to have a MIB for every rules file just in case I need to do something drastic.

If you're familiar with writing rules and you have a syslog probe, it shouldn't take more than about 10 minutes to add some rules to grab all your threshold data being sent to syslog. Just make sure to set the Cacti server up to send events to a remote syslog, preferably as a specific facility so you can capture them easily.

rameshbalajiv · Post by **rameshbalajiv** » Tue Nov 22, 2011 3:10 pm

Hi:

I have been managing the Netcool/IBM product. Recently we have also implemented Cacti in our environment.
I receive following syslog message from Cacti server
Nov 22 13:32:17 [<IP>] localhost CactiTholdLog[16164]: ME344XD28101 - Active Calls [snmp_oid] went above threshold of 20 with 23 at trigger 1 out of 1 - http://<IP>//graph.php?local_graph_id=176&rra_id=all
But the syslog probe is expecting the message in different format like:
Nov 22 15:08:08 ME538XC35602 65989: Nov 22 15:08:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/21, changed state to up

When I turn on debug mode, the process not going to any rules file and failing before itself.
How do we change the syslog message format at the Cacti server side before sending the message to Netcool server.

Thank You
Ramesh Vasudevan

Post by **TheWitness** » Tue Nov 22, 2011 3:28 pm

I believe that your syslog rule was designed for another logging client, likely not the Cacti Thold plugin. I think you need to edit your rule to align with the Cacti Syslog plugin logging pattern.

rameshbalajiv · Post by **rameshbalajiv** » Wed Nov 23, 2011 9:24 am

peecee/mrnoodle:

Currently we are only processing the Cisco syslog messages through netcool/omnibus syslog probe. But as we are receiving the Cacti tThold syslog messages, we don't the proper rules file.
I do write cisco rules files whenever I find any uncategorized messages but never written one for Cacti.
Could you please post your rules file that you use for Cacti under Netcool.
Thank You
Ramesh Vasudevan.

Post by **TheWitness** » Wed Nov 23, 2011 7:36 pm

I can only tell you how to use Cacti's Syslog Plugin and it's rules are simple. No files, just WebUI.

rameshbalajiv · Post by **rameshbalajiv** » Mon Nov 28, 2011 10:53 am

All:

I have updated the existing cisco syslog probe rules file to display the Cacti syslog message as follows:

# Added following rules to process and resolve Cacti Threshold Messages

default:
if(regmatch($Token6, "^CactiTholdLog"))
{
log(DEBUG, "<<<<< Entering... after CactiTholdlog found >>>>>")
@Node = $Token7
@NodeAlias = $Token7
@AlertGroup = "Cacti Threshold Log"
@AlertKey = ""
$Message = ltrim(rtrim(extract($Details, "- (.*)$")))
@Summary = $Message
if(regmatch($Message,"^Active Calls"))
{
@Severity = 2
}
if(regmatch($Message, "^CPU"))
{
if(match($Token11, "restored"))
{
@Severity = 2
}
if(match($Token12, "above"))
{
@Severity = 5
}
}
if(regmatch($Message, "^Traffic"))
{
if(match($Token15, "restored"))
{
@Severity = 2
}
if(match($Token16, "above"))
{
@Severity = 5
}
}
@Type = 1
@Identifier = @Node + " " + @AlertGroup + " " + @Manager + " " + $Details
details($*)
log(DEBUG, "<<<<< Leaving... leaving CactiTholdlog found >>>>>")
log(WARNING, "<<<<< Leaving... leaving CactiTholdlog found >>>>>")
}
else
{
#discard
@AlertGroup = "[Generic Syslog]"
@AlertKey = ""
@Summary = $Details
@Severity = 2
@Type = 1
@Identifier = @Node + " " + @AlertGroup + " " + @Manager + " " + $Details

details($*)
}
}
}

$OS_LocalNodeAlias = @Node
}

Recycle netcool syslog probe.
Hope this helps.
Thank You
Ramesh Vasudevan

Cacti

IBM Tivoli/Netcool Rules

IBM Tivoli/Netcool Rules

Re: IBM Tivoli/Netcool Rules

Re: IBM Tivoli/Netcool Rules

Re: IBM Tivoli/Netcool Rules

Re: IBM Tivoli/Netcool Rules

Re: IBM Tivoli/Netcool Rules

Who is online