Table Of Contents
Event and Alarm Configuration Parameters
Alarm Type Definition
Event (Sub-Type) Configuration Parameters
General Event Parameters
Root Cause Configuration Parameters
Correlation Configuration Parameters
Network Correlation Parameters
Flapping Event Definitions Parameters
Event and Alarm Configuration Parameters
This chapter describes the different options that exist to modify the alarm behavior by editing the appropriate alarm parameters in the system registry.
•
Alarm Type Definition—Describes the alarm type concept.
•Event (Sub-Type) Configuration Parameters—Describes the event and alarm configuration parameters and values that can be controlled through the registry.
The parameters described in the following section are defined per event (subtype) that belongs to the alarm.
Note Changes to the registry should only be carried out with the support of Cisco Professional Services.
Alarm Type Definition
The alarm type serves as an identifier which enables group events from different subtypes to share the same type and source in a single event sequence.
The event subtype is a specific occurrence of fault in the network. For example, link down and link up are two subtypes that share the same type.
Event (Sub-Type) Configuration Parameters
General Event Parameters
Parameter Name
|
Description
|
Permitted Values
|
severity
|
Severity level of the event.
|
Either:
•CRITICAL
•MAJOR
•MINOR
•WARNING
•CLEARED
•UNKNOWN
•INFO
|
is-ticketable
|
Determines whether the alarm will generate a new ticket, if there is no root-cause alarm to correlate to.
|
True (ticketable)
False (not ticketable)
|
functionality-type
|
Determines the event type.
|
Either:
•Service (Cisco ANA-generated)
•Syslog
•SNMP trap
|
Root Cause Configuration Parameters
These parameters define the behavior of the alarm when serving as the root cause of other alarms.
Name
|
Description
|
Permitted Values
|
is-correlation-allowed
|
Defines whether the alarm may serve as a root cause, and allow child alarms to correlate to it.
|
True (correlates) or False (will not correlate)
|
root-cause (also: short description)
|
Textual description that describes the event.
|
User defined text
|
due-to-cause
|
Display string that will be given to the consequent alarms which correlate to this alarm.
|
User defined text
|
timeout
|
Defines time period allowed in milliseconds for consequent alarms to correlate to this alarm.
|
Positive integer
|
gw-correlation-timeout
|
The period of time in milliseconds for how long an alarm with the severity Clear or Info is open for sequence. Alarms with non-cleared severity are always open for a consequent alarm.
|
Positive integer
|
is-correlation-allowed-when-not-correlated
|
If this alarm is not correlated to a parent alarm it determines if the alarm may serve as root cause, and allow child alarms to correlate to it.
|
True or false
|
The following figure explains the difference between root cause and due to cause:
Figure 5-1 Root Cause Compared to Due to Cause
Correlation Configuration Parameters
These parameters define the behavior of the alarm in finding its root-cause alarm:
Name
|
Description
|
Permitted values
|
correlate
|
Determines whether the alarm should attempt to find and correlate to a root-cause alarm. If this parameter is set to true at least box level correlation will be performed.
|
Trueor false
|
correlate-to-cloud
|
Determines whether a special alarm is created for some events, when there is no root cause found. These events are then correlated to the alarm.
|
Trueor false
False for all events except for:
•BGP neighbor loss syslog
•OSPF neighbor loss syslog
•EIGRP syslogs
•Cisco IGRP syslogs
|
send-uncorrelated
|
Determines whether to continue processing the event even when a root-cause alarm was not found.
|
Trueor false
|
correlation-delay
|
Period of time in milliseconds to wait before attempting to find and correlate to a root-cause obsolete parameter.
|
Positive integer
|
expiration-time
|
Period of time in milliseconds required to wait before attempting to find a root cause. It also controls when an event will become an alarm (if it is ticketable and did not correlate to some other alarm prior to the expiration of this interval).
|
Positive integer
|
time-stamp-delay
|
Used for normalization of the event occurrence time. The value in milliseconds is subtracted from the event time, to compensate for the time difference with the root-cause alarm. It is also used for running the network correlation against the historic network configuration.
|
Positive integer
|
drop-event
|
Whether event should be dropped on VNE level and not forwarded to gateway level.
|
Trueor false
|
Network Correlation Parameters
These parameters control the alarm's behavior in initiating an active correlation-search flow:
Name
|
Description
|
Permitted values
|
activate-flow
|
Determines whether to initiate network level correlation.
|
True or false
|
flow-delay
|
Defines the time in milliseconds to wait before initiating the network correlation flow. Increasing this value causes the alarm to wait longer before attempting correlation. If this value is too high the correlation will be meaningless as it will show events that happened a long time ago. Decreasing this value causes the alarm to wait a shorter period of time before attempting correlation.
|
Positive integer
|
flow-activation-message
|
Identifies the flow process functionality.
|
IPBasedActiveFlowTriggerMessage
|
alarm-min-age
|
Defines how old the alarm should be in order to be a root cause for a specified event.
|
Positive integer
|
flow-ttl
|
How many DCM hops may the flow trace before being stopped.
|
Positive integer
|
weight
|
Defines the weight of an alarm as a correlation candidate. The heavier the alarm, the more likely it will be chosen as the root cause.
|
-2—weightless
or
-1—maximum weight
or
Positive integer
|
Note All delays should be smaller than the expiration time to allow correlation to take place. Flow activation delay is being counted only when the correlation delay has expired.
Flapping Event Definitions Parameters
These parameters control the alarm's behavior in setrn=mining its flapping state:
Name
|
Description
|
Permitted values
|
Enabled
|
Is the flapping enabled for this event.
|
True or false
|
Flapping interval
|
The maximum amount of time in milliseconds between two alarms which can be considered as a flapping change.
|
Positive integer
|
Flapping threshold
|
After this amount of changes (each change arriving at an interval lower then the flapping interval), the event will be considered as flapping.
|
Positive integer
|
Update interval
|
After this interval in milliseconds an update will be sent.
|
Positive integer
|
Clear interval
|
The amount of time in milliseconds an event has to stay in one state to be considered as a normal alarm and not in a flapping state.
|
Positive integer
|
Update threshold
|
After this number of flapping alarms, an update will be sent to the gateway updating the alarm with the number of events received.
|
Positive integer
|
