We having Zenoss 3.2.1 monitoring some nortel switches. I've added the nortel zenpack, witch works great.
There is only one little disadvantage:
When Zenoss receives a syslog message "hostname :link up trap for port: 4" from the switch it appears in zenoss like:
So we can't see or now that it is a link up or link down trap. If a simulate a trap, Zenoss only shows this message, and even overwrite it. So there isnt even a diffence between the messages.
Does someone now how to change this view ? Ive tried something with mappings, bud wont give te desired result.
Hmm, if you open up the event, what details are there... does it have hidden away that it's a link up? If so, you could probably use an event transform to edit the subject of the event.
LEPP Computer Group
No there isnt any info in the event about link up or down. There will also be an snmp trap in the events. The trap is logged at the same time like the syslog event. But the snmp trap also does not show all the info. It only says snmp link trap up or link trap down, but no port info.
Ik would like to see the original syslog message from the switch, but Zenoss does not show the original message.. but splits it up or something.
Can you point your switch to something else and grab the full trap and syslog messages?
What do you mean with that ? Its my intention to use Zenoss voor all the monitoring. Including the syslog, and not to use another tool like kiwi.
There must be a way to get the message correctly displayed. But i don't understand the using of mapping/transform in Zenoss. I havent any knowledge of pheaton eather.
The syslog looks like it might be malformed. The best way to tell would be to capture the enitire syslog message as sent from the device. If it is malformed, you'll need to either get the device fixed (unlikely) or do some coding magic to parse the syslog message before it gets to zenoss for making an event.
LEPP Computer Group
What I mean is send the messages to another application to compare message integrity. I'm unconvinced it's a Zenoss problem since we're talking Nortel devices.
Here you can see that the messages are not malformed: (recieved bij solarwinds syslogreceiver)
This is what Zenoss shows:
Where is the message ? Only "4" ?
Those traps are going to the history:
So, where is my port info en the link up messages ?
In de syslog from solarwinds are the received messages correct. Also in a wiresharkcapture you see the correct info. But Zenoss transforms the message....
Is the 4 in the component field? If it is, the problem is that syslog does not report the actual port name. If it did Zenoss would altomatically create a link to that port. You can optionally create a transform to read out the component, find the interface with that ifIndex and replace the 4 with the components full name. Nortels are natorious for providing less than helpful messages.
No Port is in the componentfield and 4 in the summery.
However, I do not understand how mappings and transforms work into Zenoss. Maybe you can help me a bit ?
It looks like the message ultimately doesn't contain enough useful information. Looking at the message from syslog, does the message provide the source device or ip? Looking at the traps, no device seems to be associated with the traps. This means that the device is either not monitored by zenoss or the trap has no data in it relating to the source device. It's not impossible to map this stuff with transforms, but it'll be ugly.
I've removed the ip information from the screenshots So it wil be there. The switch is also monitored in Zenos. Everything looks fine. The only disadvantage is the appearance of the link trap.
For the snmpTrap, is a component listed?
I know someone asked you about this, but can you post here the original syslog message as the switch is sending ? You can do this by logging those messages in a text file. You did it in Orion but the syslog messages are already being parsed by Orion so we might lose some valuable info here. I would also like to know how is your setup for Zenoss syslog, is it receiving syslog messages directly from the switch or from a forwarder local or remote ?
Anyway, just looking at those messages as shown by Orion syslog and checking with the format of a standard syslog message, a question rises in my mind: when parsing the syslog message paylod, is Zenoss by chance using the colon (:) charcter as field separator ? Obviously, I address this question to all those having a deeper knowledge of Zenoss sinternal working.
So can anyone tell us if Zenoss when parsing the syslog message is using the colon character as a separator ?
My suspicion is also that Zenoss uses the (:) as field seperator. When i make a capture of de syslog traffic and compare the different messages, i notice that (:) is used for a field seperator.
The question is, is it posible to change it somewhere in Zenoss ? Remarkable is that the "summery' field and the 'message' field contain the same data. Het would be nice that those are different, like the summry field containing the original syslog message like the info field you see in a wireshark capture.