NNMI 2023.05 Incident Enrichment issues

Hi, Experts,

I faced very strange issue with Incident Enrichment. I created enrichment rule, Enrichment Reports tells that payload filter is matched and event will be enriched with Severity= Normal severity and Correlation Nature= none. However newly arrived  SNMP traps are not enriched, have severity=Warning. Any idea what can be wrong? 

The specifics is that I'm using both regular trap payload and Custom Incident attributes in the Enrichment filter:


thank you in advance,
Gedas

Tags:

  • 0  

    Hello Gedas,

    .1.3.6.1.2.1.15.3.1.2.10.53.83.80 is type of integer. Try to remove 'established' from the list for CIA value to see if it makes any difference. If it does not help

    perhaps it is related to the presence of Custom Incident attribute "Community". How do you insert one? In the same Enrichment item? Can you try to add one in a separate enrichment item which is configured before another one where you enrich Severity.

    Best regards,
    Sergey

  • 0   in reply to   

    Thank you, Sergey

    yes, you are right. CIA "Community" is added at the same enrichment  configuration as "Custom Attributes" rule. Severity is assigned by "Payload Filter". I supposed that "Custom Attributes" has a priority. But this seems not to be a case....

    How I can configure Node CA to CIA assignment before the Severity enrichment?  An Incident has only one Enrichment and there are no order of  the Enrichment configurations processing.
     
    best regards,
    Gedas

  • Verified Answer

    +1   in reply to   

    I performed similar test, and it worked for me. In the first enrichment item (at the top) I added a new CIA "Community". In the payload filter I used only cia name/value from the original trap, for example, (ciaValue in (2, 6) AND ciaName = .1.3.6.1.2.1.15.3.1.2.192.168.100.1).

    I did not change Severity here. In the second enrichment item I changed Severity and used Payload filter

    ((ciaValue in (2, 6) AND ciaName like \Q.1.3.6.1.2.1.15.3.1.2\E.*) AND (ciaValue = roseville AND ciaName = Community))

    Report Enrichment

    Enrichment performed for the default settings for the incident BGPEstablished.
    The payload filter which matched for the enrichment is: (ciaValue in (2, 6) AND ciaName = .1.3.6.1.2.1.15.3.1.2.192.168.100.1)
    Enrichment performed for the default settings for the incident BGPEstablished.
    The payload filter which matched for the enrichment is: ((ciaValue in (2, 6) AND ciaName like \Q.1.3.6.1.2.1.15.3.1.2\E.*) AND (ciaValue = roseville AND ciaName = Community))
    Note: This is the enrichment that will be performed should this incident occur in the future.
    Severity: Normal
    Priority: None
    Category: Fault
    Family: Interface
    Correlation Nature: Symptom
    Message Format: BGP Established: State 6 (established), Last Error: NoError, Neighbor: 192.168.100.1
    Assigned To: null
    Custom Incident Attributes:
    Name: .1.3.6.1.2.1.15.3.1.7.192.168.100.1, Value: 192.168.100.1, Type: asn_ipaddress
    Name: .1.3.6.1.2.1.15.3.1.14.192.168.100.1, Value: NoError, Type: asn_octetstring
    Name: .1.3.6.1.2.1.15.3.1.2.192.168.100.1, Value: 6, Type: asn_integer
    Name: .1.3.6.1.4.1.11.2.17.2.2.0, Value: 192.168.100.1, Type: asn_octetstring
    Name: cia.snmpoid, Value: .1.3.6.1.2.1.15.0.1, Type: String
    Name: cia.address, Value: 192.168.100.1, Type: String
    Name: cia.originaladdress, Value: 10.88.212.111, Type: String
    Name: cia.agentAddress, Value: 10.88.212.111, Type: String
    Name: Community, Value: roseville, Type: String