Create Notifications Based on Event Parameters

From OpenNMS
Jump to navigation Jump to search
Tested for Versions
The instructions in this article have been tested against the following versions of OpenNMS.
Tested Against:
Version 17.0.0 tested by Tarus

In many cases, there may be an event that is generated by OpenNMS that deserves a notification, but only if the parameters of the event have a particular value. Here is a way to do that fairly easily (This was done on Horizon 17).

First, it really helps to understand how events and event parameters work. When you have an event of interest, you should look to see how it appears in the database. To access the database, run:

psql -U opennms opennms

Note that you may have to use the "-h" option if the database is on a different server, and if prompted for a password, the default is "opennms".

Once you have access to the DB, you can use the "/x" option to turn on expanded view. This will print each field out on a separate line and can be useful since the fields in the events table tend to be long. Then you can select the event and see all of the fields displayed:

opennms=# select * from events where eventid=31;
-[ RECORD 1 ]-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
eventid                 | 31
eventuei                | uei.opennms.org/syslogd/local0/Error
nodeid                  | 1
eventtime               | 2015-12-21 16:55:57+01
eventhost               | trading.example.com
eventsource             | syslogd
ipaddr                  | 10.130.255.16
eventdpname             | localhost
eventsnmphost           |
serviceid               |
eventsnmp               |
eventparms              | syslogmessage=Dec 21 16:55:57 AMS: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/37, changed state to down(string,text);severity=Error(string,text);timestamp=Dec 21 15:55:57(string,text);process=3707240(string,text);service=local0(string,text);processid=0(string,text)
eventcreatetime         | 2015-12-21 16:55:57.575+01
eventdescr              | <p>The interface 10.130.255.16 generated a Syslog Message.<br>
                        | Node ID: 1<br>
                        | Host: trading.example.com<br>
                        | Interface: 10.130.255.16 <br>
                        | Message: Dec 21 16:55:57 AMS: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/37, changed state to down <br>
                        | Process: 3707240 <br>
                        | PID: 0
                        | </p>
eventloggroup           |
eventlogmsg             | <p>An OpenNMS Event has been received as a Syslog Message </p>
                        | Message: Dec 21 16:55:57 AMS: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/37, changed state to down <br>
eventseverity           | 5
eventpathoutage         |
eventcorrelation        |
eventsuppressedcount    |
eventoperinstruct       |
eventautoaction         |
eventoperaction         |
eventoperactionmenutext |
eventnotification       |
eventtticket            |
eventtticketstate       |
eventforward            |
eventmouseovertext      |
eventlog                | Y
eventdisplay            | Y
eventackuser            |
eventacktime            |
alarmid                 |
ifindex                 |

It is often useful to examine the raw data because you can learn a lot about what is available for filtering. For example, note that this event, which comes from a syslog message, doesn't have a service associated with it, so it would not be useful to filter on service in this case.

The parameters sent with the event are in the eventparms field. There are in the format "label=value" with each parameter delimited with a semicolon. There are six parameters sent with this event:

syslogmessage=Dec 21 16:55:57 AMS: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/37, changed state to down(string,text);
severity=Error(string,text);
timestamp=Dec 21 15:55:57(string,text);
process=3707240(string,text);
service=local0(string,text);
processid=0(string,text)

There are a lot of useful things here. Note that the syslog severity is passed with the event, so you could filter on the second parameter to set the severity of this particular event to match, but for the purpose of this example we want to match on the syslog message in order to send out a notification when the "Interface" starts with "GigabitEthernet" and the state has changed to "down".

Now, in order to create a notification on this event, the easiest thing to do is just select it from the eventlist. Here is a picture from the node page:

Notice-tutorial-node-page.png

If you click on "Recent Events" you'll see:

Notice-tutorial-recent-events.png

Now you can click on "Edit notifications for event" and that will take you right into the notification configuration page (assuming you have Admin access).

Skip the results validation, and that will take you to this screen:

Notice-tutorial-notice-page.png

This is like configuring any other notice, except in this case I've added a parameter. The parameter name, taken from the event in the database is "syslogmessage" and the value is a regular expression that looks from the string "Interface GigabitEthernet" followed by the string "state to down". This should eliminate other interfaces and also events where the state change was to "up".

To test this, I sent in three events:

Notice-tutorial-three-events.png

Note that the middle one is for a "Serial" interface. Note that only two notices were generated:

Notice-tutorial-notices.png

Proving that the regular expression is working.