opEvents processes syslog, SNMP Traps, NMIS Events into a common format for further processing. This process is called normalisation.
The following tables represents the standard properties of normalised events - but as event properties are pretty much infinitely adaptable and extensible (e.g. from custom parser rules or event action policies), the tables cannot be exhaustive.
A globally unique Event ID
Unix time of the event (seconds since 1970).
Note: This Property has been deprecated
The name of the node in question. Normally the same as the NMIS node name.
The DNS hostname or IP address of the node in question, as extracted from the input data.
Name of the event
Node Down, Node Up
What element of the node the event refers to.
FastEthernet1, Neighbor 22.214.171.124
Is the state good or bad, up or down.
up/down, open/closed, etc
Name of the stateful object.
Node, Interface, OSPF Neighbor
Other event details
Where did the event originate?
|cisco_syslog, trap, NMIS, (remote) API|
Has the event been marked for escalation?
|0 or 1|
|opEvents priority level, see opEvents priority levels vs. NMIS and Syslog levels||0 to 10, inclusive|
|nearest NMIS severity level, computed from ||Normal to Fatal|
Has the event been acknowledged?
|0 or 1|
Is this event a flap?
0 or 1
|action_required||Should the GUI show the event as open?|
Only present in opEvents versions up to (and including) 2.0.3.
|0 or 1|
Optional but Common Properties
In addition to those a number of properties are optional and created only under certain conditions:
|The ifAlias (or Description) of the interface in question|
|The server name of the system that originated the event;|
Optional, only relevant for remotely/API-generated events,
but plays an important role for reorder protection of stateful events.
|The URI for this event at the originating server. |
Optional, only relevant for remotely/API-generated events.
|List of Event IDs that this one is a duplicate of.|
Only present when programmable suppression rules affected this event.
|lists nodes that caused this synthetic event. Only present if this is a synthetic event.|
|List of Event IDs that were involved in causing this synthetic event.|
(Only in opEvents versions 2.0.3 to 2.2.1 this is also set for relationships between events,
e.g. for auto-acknowledged events the up event lists the down event's id here and vice versa.)
|List of Event IDs that are related to this stateful event, |
e.g. the preceding down event if this one is an up event and vice versa.
Only present in opEvents versions 2.4 and newer, and only if this event is stateful.
|Unix time, until then the event is held back from processing for actions and policies||1385079231|
|Has the event been processed wrt. actions and policies?||0 or 1|
|If an event triggered a script action that is set to save output,|
then the script output (and the script's execution time) is stored in these properties.
|whether this event was created by a correlation policy action,|
or because a watchdog expired
|0 or 1|
Deprecated as of opEvents 2.4, see trigger_eventids for replacement.
Event ID of the synthetic event that this event was a trigger for.
|List of synthetic event IDs that this one is a trigger of.|
Only in opEvents 2.4 and newer, and only if one or more correlation policy actions have identified this event as a trigger.
|Whether this is a watchdog expiration event||0 or 1|
|If the event is or was subject to escalation, then this property indicates the |
event's most recent escalation threshold. Note that this property is not cleared when
the event is acknowledged and escalation terminates.
|60, 900 etc.|
|If the event is or was subject to escalation, then this property lists the |
event's most recently active escalation policy name.
Like the previous property, this one persists after escalation terminates.
|a list of originator- and time-tagged comments for this event |
(optional, supported in opEvents 2.0 and newer)
|These enrichment tags are controlled by your action policy, and have no special meaning |
- with the exception of
(in opEvents 2.0.2 and up),
(only in opEvents 2.0.4 and up)
|status_history||A structured record of changes and activities related to the event.|
Node vs. Host, and how opEvents handles inconsistent input data
opEvents works hard to normalize inputs from disparate and often inconsistent input data; one of the most common issues is event input data that lacks the correct node name, only has an IP adress or a DNS shortname and not an FQDN and similar.
Here is an overview of the heuristic that opEvents applies to make sure that events are associated with the correct node:
- First, opEvents extracts the prospective nodes' host name from the input data.
The parser normally extracts a
hostproperty from the input, which may be an FQDN, DNS short name or IP address.
(The parser may also set the final
nodeproperty, but that's not recommended and our example parsing rules don't contain such operations.)
In case of the NMIS event log being the source, only the NMIS node name is available and is used as host name for all subsequent steps.
- opEvents now looks for the one node that is identified by this hostname/address etc.
This is done by looking in a cache of associations between FQDNs, shortnames and IP addresses that opEvents maintains.
If this succeeds, then the node's name is set as the event's
nodeproperty and the procedure is finished.
- If no matching association is found, then the DNS is used to find potential intermediate associations.
hostproperty is resolved via the DNS, forward to IP address if it was a hostname, or reverse to FQDN if it was an IP address.
- If this intermediate step resulted in something that is associated with a known node, then that node is used and the intermediate info is added to the cache.
(There are also some internal safeguards to reduce the number of DNS requests opEvents might perform.)
- If none of this worked, then the original raw, untranslatable,
hostproperty is used as a new node's name.
In opEvents 2.0.4 and newer, the configuration option
opevents_auto_create_nodescontrols the behaviour in this situation: if set to false, the event is skipped.
If set to true (or not present), then a new node record is created. (Older versions of opEvents always created new but somewhat incomplete node records in this case.)
The consequences of this normalisation setup are as follows:
- An event's
event.nodeproperty will always identify the node that is associated with the event.
- The event's
event.hostproperty is set from the raw inputs, and is very often not the same as a known node's
node.hostproperty, nor is it guaranteed to exist.
The only thing guaranteed about
event.hostis that at the time of the event creation it was somehow, possibly even just temporarily, associated with the node in question.
For NMIS eventlog as source the
event.hostis always the NMIS node name.
- The opEvents dashboard and event-centric pages all show the
event.nodeproperty as primary id, and the
event.hostproperty as supplementary information.
- Editing a node's
addressesproperties in the Edit Nodes GUI does not affect any existing events; it just sets up association info for finding the right node for future events.