Welcome to Questions - Ask OpenNMS, where you can ask questions and receive answers from other members of the community.

Options on how to exclude a node from notifications and alarms

0 votes
12 views

I am looking for recommendations on the best / most efficient method to exclude a specific item (not a node) from notifications and alarms triggered from events that include specific text strings in the log message.

The event syslogmessage "Message:" may include the name or IP Address of a server or pool that I on which I do not want to get a notice or alarm.  There will be multiple text strings to consider (if the message contains 192.168.244.4, 192.168.244.5, etc. or if the message contains "doodle", "mail", "Ted", etc.) do not trigger a notification or alarm.  Of course, if any of the identified text strings are not in the message the notification and alarm should be sent. 

On the following message I would like to be able to exclude it based on the IP address, the text "mail", or the text "green --> gray".

Message: alert gtmd[14489]: 011a4003:1: SNMP_TRAP: Pool /Common/mail.domain.com member /Common/mail.domain.com_vs (ip:port=192.168.244.4:0) state change green --> gray (Not Authorized)

The desire would be for this to effect any UEI.   uei.opennms.org/vendor/F5/traps/bigipLogAlert, uei.opennms.org/syslogd/local0/Error, uei.opennms.org/syslogd/local1/Error, uei.opennms.org/syslogd/local6/Error, uei.opennms.org/syslogd/mail/Error, etc.

The two solutions I can think of include:

1) edit notifications for each uei to consider and put in the text to include

2) create a reduction event and use part of the text to identify the node and then limit the nodes to consider.

Both of these ideas seem like they will be a maintenance headache.

Thank you for the suggestions.

OpenNMS version
20.0.1
Java version
1.8.0_45 Oracle Corporation
Operating system
Ubuntu
PostgreSQL version
9.5
asked Aug 9 by ebfisher3 (210 points)
edited Aug 18 by ebfisher3

1 Answer

0 votes
This is a tricky one. Here's how I would do it.

For all of the notifications that could possibly be triggered by one of these events, I would make sure there was some sort of initial delay, say one minute.

Then I would create an automation to go through all outstanding notices and automatically acknowledge those notices that meet my criteria, which would stop the escalation and make sure that the notice isn't sent.

    <automation name="cleanUpNotices" interval="45000" active="true"
                action-name="cleanUpNotices" />

 

    <action name="cleanUpNotices">
      <statement>
        UPDATE notifications
           SET answeredby = 'auto-acknowledge', respondtime = now()
         WHERE answeredby is null
               AND textmsg ~ 'green --&gt; gray';
      </statement>
    </action>

That should run every 45 seconds and should work - although I haven't actually tested it. The "textmsg ~" should use a regex to look for that substring in the notification text.
answered Sep 6 by Tarus Balog (530 points)
...