Table Of Contents
Event and Alarm Configuration Parameters
Alarm Type Definition
Event (Sub-Type) Configuration Parameters
General Event Parameters
Root-Cause Configuration Parameters
Correlation Configuration Parameters
Network Correlation Parameters
Flapping Event Definitions Parameters
Event and Alarm Configuration Parameters
This chapter describes the different options that exist to modify the alarm behavior by editing the appropriate alarm parameters in the system registry.
Alarm Type Definition describes the alarm type concept.
Event (Sub-Type) Configuration Parameters describes the event and alarm configuration parameters, and values that can be controlled through the Registry.
The parameters described in the following section are defined per event (sub-type) that belongs to the alarm.
Note 
Changes to the Registry should only be carried out with the support of Cisco Professional Services.
Alarm Type Definition
The alarm type serves as an identifier which enables group events from different sub-types to share the same type and source in a single event sequence.
The event sub-type is a specific occurrence of fault in the network. For example, link down and link up are two sub-types that share the same type.
Event (Sub-Type) Configuration Parameters
General Event Parameters
Parameter Name
|
Description
|
Permitted Values
|
severity
|
Severity level of the event.
|
Either:
•CRITICAL
•MAJOR
•MINOR
•WARNING
•CLEARED
•UNKNOWN
•INFO
|
is-ticketable
|
Determines whether the alarm will generate a new ticket (in case there is no root-cause alarm to correlate to).
|
True (ticketable); False (not ticketable)
|
functionality-type
|
Determines the event type.
|
Either:
•Service (Sheer-generated)
•Syslog
•SNMP Trap
|
Root-Cause Configuration Parameters
These parameters define the behavior of the alarm when serving as the root-cause of other alarms.
Name
|
Description
|
Permitted Values
|
is-correlation-allowed
|
Defines whether the alarm may serve as a root-cause, and allow child alarms to correlate to it.
|
True (correlates) or False (will not correlate)
|
root-cause (also: short description)
|
Textual description that describes the event.
|
User defined text
|
due-to-cause
|
Display string that will be given to the consequent alarms (which correlate to this alarm).
|
User defined text
|
timeout
|
Defines time period allowed (in milliseconds) for consequent alarms to correlate to this alarm.
|
Positive integer
|
gw-correlation-timeout
|
The period of time (in milliseconds) for how long an alarm with the severity `Clear' or `Info' (alarms with non-cleared severity are always open for a consequent alarm) is open for sequence.
|
Positive integer
|
is-correlation-allowed-when-not-correlated
|
If and only if this alarm is not correlated to a parent alarm it determines if the alarm may serve as root-cause, and allow child alarms to correlate to it.
|
True/False
|
The following figure explains the difference between "Root-cause" and "Due-to-cause":
Figure 5-1 Root-Cause vs. Due-to-Cause
Correlation Configuration Parameters
These parameters define the behavior of the alarm in finding its root-cause alarm.
Name
|
Description
|
Permitted values
|
correlate
|
Determines whether the alarm should attempt to find and correlate to a root-cause alarm. If this parameter is set to true at least box level correlation will be performed.
|
True/False
|
correlate-to-cloud
|
Determines whether a special alarm is created for some events, when there is no root cause found. These events are then correlated to the alarm.
|
True/False
False for all events except for:
•BGP neighbor loss syslog
•OSPF neighbor loss syslog
•EIGRP syslogs
•Cisco IGRP syslogs
|
send-uncorrelated
|
Determines whether to continue processing the event even when a root-cause alarm was not found.
|
True/False
|
correlation-delay
|
Period of time (in milliseconds) to wait before attempting to find and correlate to a root-cause - Obsolete Parameter.
|
Positive integer
|
expiration-time
|
Period of time (in milliseconds) required to wait before attempting to find a root-cause. It also controls when an event will become an alarm (if it is ticketable and did not correlate to some other alarm prior to the expiration of this interval)
|
Positive integer
|
time-stamp-delay
|
Used for "normalization" of the event occurrence time. The value (in milliseconds) is subtracted from the event time, to compensate for the time difference with the root-cause alarm). It is also used for running the network correlation against the historic network configuration
|
Positive integer
|
drop-event
|
Whether event should be dropped on VNE level - not forwarded to GW level.
|
True/False
|
Network Correlation Parameters
These parameters control the alarm's behavior in initiating an active correlation-search flow.
Name
|
Description
|
Permitted values
|
activate-flow
|
Determines whether to initiate Network level correlation.
|
True/False
|
flow-delay
|
Defines the time (in milliseconds) to wait before initiating the network correlation flow. Increasing this value causes the alarm to wait longer before attempting correlation. If this value is too high the correlation will be meaningless as it will show events that happened a very long time ago. Decreasing this value causes the alarm to wait a shorter period of time before attempting correlation.
|
Positive integer
|
flow-activation-message
|
Identifies the flow process functionality
|
IPBasedActiveFlowTriggerMessage
|
alarm-min-age
|
Defines how old (at least) the alarm should be in order to be a root-cause for a specified event.
|
Positive integer
|
flow-ttl
|
How many DCM hops may the flow trace before being stopped
|
Positive integer
|
weight
|
Defines the weight of an alarm as a correlation candidate. The "heavier" the alarm the more likely it will be chosen as root cause.
|
-2 - weightless
or
-1 - maximum weight
or
Positive integer
|
Note All delays should be smaller than expiration time to allow correlation to take place. Flow activation delay is being counted only when the correlation delay has expired.
Flapping Event Definitions Parameters
These parameters control the alarm's behavior in setrn=mining its flapping state.
Name
|
Description
|
Permitted values
|
Enabled
|
Is the flapping enabled for this event.
|
True/False
|
Flapping interval
|
The maximum amount of time (in milliseconds) between two alarms which can be considered as a flapping change.
|
Positive integer
|
Flapping threshold
|
After this amount of changes (each change arriving at an interval lower then the "flapping interval"), the event will be considered as flapping.
|
Positive integer
|
Update interval
|
After this interval (in milliseconds) an update will be sent
|
Positive integer
|
Clear interval
|
The amount of time (in milliseconds) an event has to stay in one state to be considered as a normal alarm and not in a flapping state
|
Positive integer
|
Update threshold
|
After this number of flapping alarms, an update will be sent to the Gateway updating the alarm with the number of events received.
|
Positive integer
|
