RMON Alarm/Event List

---

Although Alarms and Events are defined as separate RMON features, neither one can function properly without the other. You can define an alarm threshold, but if it doesn't point to an event, there will be no indication that the threshold has been crossed. Similarly, you can define an event, but unless it is attached to an alarm threshold, it won't be triggered. Each is an essential part of the same notification process: the alarm defines a set of conditions you want to know about, and the event provides the means of letting you know those conditions have occurred.

Console's RMON Alarm/Event List window lets you define custom alarms for almost any MIB variable (OID), as long as it is present in the device firmware and its value is defined as an integer (including counters, timeticks, and gauges). You can define both rising and falling alarm thresholds for the selected MIB variables and automatically create the necessary events (to log alarm occurrences, generate a trap, or both). All aspects of alarms are user-selectable: thresholds can be established on either the absolute or delta value for a variable; events can be configured to create a log, generate a trap, or both. Using the Alarms feature, you need only be sure to select variables appropriate to the interface (Ethernet for Ethernet, Token Ring for Token Ring, etc.) when defining your alarms.

	NOTE:	When the RMON Alarm/Event List window is initially opened the Console Event log might show several SNMP gets/sets to the selected device. This is because Console first queries RMON status on the selected device and, if it finds that RMON is disabled, Console attempts to enable it.

Click areas in the window for more information.

	TIP:	You can use the RMON Alarms feature to configure alarms for MIB objects on FDDI, ATM, and other interfaces that don't specifically support RMON: the Alarm configuration lets you select any object as an alarm variable, as long as its value is defined as an integer and you assign the correct instance value.

Alarms Watch Table

Index

The index is a number that uniquely identifies each alarm. Index numbers are automatically assigned each time an alarm is created or modified; these numbers are random and will not necessarily be consecutive.

Interval

Indicates the amount of time, in seconds, over which the selected variable will be sampled. At the end of the interval, the sample value is compared to both the rising and falling thresholds configured for the alarm.

Sample

Indicates whether the sample value to be compared to the thresholds is an absolute, or total value (that is, the total value counted for the selected variable), or a relative or delta value (the difference between the value counted at the end of the current interval and the value counted at the end of the previous interval.)

LoThrshld

Indicates the set value for the low, or falling threshold.

Event Index

Indicates the event index number that the falling threshold points to: this is the event that will be triggered if the falling threshold is met or crossed. If the value for this field is zero, no event will be triggered.

HiThrshld

Indicates the set value for the high, or rising threshold.

Event Index

Indicates the event index number that the rising threshold points to: the event that will be triggered if the rising threshold is met or crossed. If the value for this field is zero, no event will be triggered.

Status

Indicates the status of the alarm: valid, invalid, or underCreation. An alarm that is invalid is not functional and may be referring to a MIB component that is inactive (such as the Hosts component), not present, or unreachable, or it may have been deleted by software but not yet removed from memory at the device. An alarm that is underCreation is in the process of being configured (possibly by another management station), and should not be modified until its status is valid; if it never reaches valid status, it will eventually be removed.

Alarm Variable

Indicates the variable that is being watched. You can use the scroll bar, if necessary, to view the complete name.

Events Watch Table

Index

The index is a number that uniquely identifies each event. Index numbers are automatically assigned each time an event is created or modified; these numbers are random and will not necessarily be consecutive.

LastTime

Indicates the last time this event was triggered. Note that this information is static once it is displayed, and the LastTime field will not be updated unless you close, then open, the Alarms/Events window, or click on Refresh.

Type

Indicates the type of response that will be generated if the event is triggered: log, trap, or log & trap. A type of "none" indicates that occurrences of the event will not be logged and no trap will be sent. Note that this field does not indicate, however, whether or not there are any actions associated with the selected event.

Description

This is a user-defined text description used to identify the event and/or the alarm or packet capture that triggers it.

Create/Modify Alarm Window

The Create Alarm and Modify Alarm windows both provide the same set of parameters to let you define alarms. The Create Alarm window is opened with default settings and allow creating new alarms. The Modify Alarm window opens showing the settings for an alarm selected in the Alarm Watch table and allows you to edit an existing alarm.

Click areas in the window for more information.

Owner

This allows you to enter some appropriate individual as the designated owner of this alarm. This could be the network manager's name or phone number, or the IP or MAC address of the management workstation, to identify the creator of the alarm. Since any workstation can access and change the alarms you are configuring, some owner identification can prevent alarms from being altered or deleted accidentally. The default owner is the NetSight <hostname> and <IP address> <date> <time>, where the hostname and IP address belong to the Console host system, and the date and time reflects the date and time of the alarm's creation.

Alarm Variable

The MIB Object Selector panel on the right side of the window contains three tabs. The Tree and List tabs let you select an Alarm Variable for the alarm that you are configuring. The Description tab shows the text description for MIB objects selected from the MIB Tree or List tab.

Tree Tab

This tab shows the supported MIBs as a tree hierarchy. You can expand the tree to select a MIB object that you want to watch with this alarm. Once an object is selected from the tree, you can set the remaining parameters to define an instance and establish thresholds for this alarm.

Sample Tree Tab

Find Feature

This feature lets you search the tree to locate a specific MIB Object by typing all or part of a text string for a particular Object ID or Description into the Find what field, selecting an search option, and clicking Find.

List Tab

This tab presents MIB objects in a table. A table right-click menu provides find and filter features to help you locate specific MIB objects. You can access these Table Tools through a right mouse click on a column heading or anywhere in the table body. For more information, see Table Tools.

Sample List Tab

Description Tab

This tab displays the text description (as it appears in the MIB) for a selected MIB object.

Alarm Instance

RMON objects that are part of a table are instanced by the index number that typically corresponds to an interface. For example, if you wish to set an alarm on an object located in an RMON Statistics table, you can determine the appropriate instance by noting the index number assigned to the table that is collecting data on the interface you're interested in. If there are multiple default tables per interface, however, or if additional tables have been created, this may not be true. (Table index numbers are assigned automatically as table entries are created. No two tables, even those on different interfaces, will share the same table index number.)

If you have selected an object from a table which is indexed by some other means (for example, by ring number) you must be sure to assign the instance accordingly. If you're not sure how a tabular object is instanced, you can use the MIBTool utility to query the object; all available instances for the object will be displayed. If you have selected an object which is not part of a table, you must assign an instance value of 0.

If you wish to set an alarm on an object whose instance is non-integral (for example, a Host Table object indexed by MAC address) or on an object with multiple indices, like a Matrix Table entry (which is indexed by a pair of MAC addresses), you must follow certain special procedures for defining the instance. For these OIDs, the instance definition must take the following format:

table index.length(in bytes).instance(in decimal format)

For the first byte of the instance, you must use the index number of the table which contains the OID you want to track. For example, to set an alarm on an object in the Host Table, define the first byte of the instance as the index number assigned to the specific Host Table you want to check. These index numbers are assigned automatically as the table entries are created. No two tables, even if they are on different interfaces, will share the same table index number.

Second, you must specify the length, in bytes, of the index you will be using. Again, in the case of an object in the Host Table, that value would be 6, since Host Table entries are indexed by MAC address (a six-byte value).

Finally, you must specify the index itself, in decimal format. In the case of a MAC address, that means you must convert the standard hexadecimal format to decimal format. To do this, simply multiply the first digit of the two-digit hex number by 16, then add the value of the second digit. (For hex values represented by alphabetical characters, remember that a=10, b=11, c=12, d=13, e=14, and f=15.) A hex value of b7, for instance, is represented in decimal format as 16 x 11 + 7, or 183. So, for example, the instance for an object in the Hosts group might read as follows:

2.6.0.0.29.170.35.201

where 2=the host table index; 6=the length in bytes of the index to follow; and 0.0.29.170.35.201=the decimal format for MAC address 00-00-1d-aa-23-c9.

For objects with multiple indices, such as objects in a matrix table, you must add additional length and index information to the instance definition, as illustrated below:

3.6.0.0.29.170.35.201.6.0.0.29.10.20.183

where 3=the matrix table index; 6=the length in bytes of the index to follow; 0.0.29.170.35.201=the decimal format for MAC address 00-00-1d-aa-23-c9; 6=the length in bytes of the next index; and 0.0.29.10.20.183=the decimal format for MAC address 00-00-1d-0a-14-b7.

Additional instance issues may exist for FDDI objects. If you're unsure how to assign an instance, use the MIBTree utility to query the object of interest, and note the appropriate instancing on the returned values.

Alarm Interval

The amount of time over which the selected variable will be sampled. At the end of the interval, the sample value will be compared to both the rising and falling thresholds. There is no practical limit to the size of the interval (as the maximum value is 24,855 days 3 hours 14 minutes and 7 seconds -- over 68 years!). The default value is 1 minute.

Startup Alarm

Since the first sample taken can be misleading. The Startup Alarm box to lets you disable either the rising or the falling threshold for that sample only. If you want to exclude the falling alarm, select the Rising option. The first sample taken will only generate a rising alarm, even if the sample value is at or below the falling threshold. To exclude the rising alarm, select the Falling option. The first sample will then only generate a falling alarm, even if the sample value is at or above the rising threshold. If you wish to receive both alarms as appropriate, select the Both option.

Sample Type

The Sample Type indicates whether you want your threshold values compared to the total count for the selected variable (Absolute), or to the difference between the count at the end of the current interval and the count at the end of the previous interval (Delta). Make sure you have set your thresholds accordingly.

Rising and Falling Thresholds

Rising and falling thresholds are intended to be used in pairs, and can be used to provide notification of spikes or drops in a monitored value -- either of which can indicate a network problem. To make the best use of this powerful feature, however, pairs of thresholds should not be set too far apart, or the alarm notification process may be defeated: a built-in hysteresis function designed to limit the generation of events specifies that, once a configured threshold is met or crossed in one direction, no additional events will be generated until the opposite threshold is met or crossed. Therefore, if your threshold pair spans a wide range of values, and network performance is unstable around either threshold, you will only receive one event in response to what may be several dramatic changes in value. To monitor both ends of a wide range of values, set up two pairs of thresholds: one set at the top end of the range, and one at the bottom. Figure 4-8 illustrates such a configuration.

RisingThreshold

The high threshold value for this alarm.

RisingEventIndex

The index number of the event you would like to see triggered if the rising threshold is crossed. Assigning an invalid or zero index effectively disables the threshold, as there will be no indication that it has been crossed.

FallingThreshold

The low threshold value for this alarm.

FallingEventIndex

The index number of the event you would like to see triggered if the falling threshold is crossed. Assigning an invalid or zero index effectively disables the threshold, as there will be no indication that it has been crossed.

Create/Modify Event Window

The Create Alarm and Modify Event windows both provide the same set of parameters to let you define associate events with the alarms that you've defined and determine the specific action triggered by the event (create a log entry or trigger a trap). The Create Event window is opened with default settings and allow creating new events. The Modify Event window opens showing the settings for an event selected in the Event Watch table and allows you to edit an existing events.

Click area in the window for more information.

Description

Any text description that you want to identify the event. This description appears in the Events Watch window and help you distinguish among the events you have configured.

Community

This value is included in any trap messages issued by your RMON device when this event is triggered. For EOS devices, this value is also used to direct traps related to this event to the appropriate management workstation(s):

• If you enter a value in this field, traps related to this event will only be sent to the network management stations in the device's trap table which have been assigned the same community name (and for which traps have been enabled). Any IP addresses in the device's trap table which have not been assigned the same community string, or which have been assigned no community string, will not receive traps related to the alarm(s) you are configuring.
• If you leave this field blank, traps related to this event will be sent to any network management stations which have been added to the device's trap table, and for which traps have been enabled -- regardless of whether or not those IP addresses have been assigned a community name in the Trap Table.

Owner

This allows you to enter some appropriate individual as the designated owner of this event. This could be the network manager's name or phone number, or the IP or MAC address of the management workstation, to identify the creator of the event. Since any workstation can access and change the events you are configuring, some owner identification can prevent events from being altered or deleted accidentally. The default owner is the NetSight <hostname> and <IP address> <date> <time>, where the hostname and IP address belong to the Console host system, and the date and time reflects the date and time of the event's creation.

Event Type

The Event Type determines how this event will respond when an associated threshold is crossed.

• Log creates log entry for the alarm associated with this event. Each event's log can be viewed by clicking on the Event Log button near the bottom of the RMON Alarm/Event List window.
• Trap instructs the device to send a pair of SNMP traps (one WARNING, one Normal) to the management station each time the event is triggered.

RMON Event Log

The Event Log provides information about the alarm that triggered an event selected in the RMON Alarm/Event List window. The top portion of the window contains the device information boxes, as well as the event index number and the event description. The bottom portion lists alarm information.

Click areas in the window for more information.

Index

This index number is not the event's index, but a simply an index of items in the log that uniquely identifies this occurrence of the event.

Time

Indicates the date and time of each event occurrence.

Description

Provides a detailed description of the alarm that triggered the event: whether it was a rising or falling alarm, the alarm index number, the alarm variable name and object identifier (OID), the alarmSampleType (1=absolute value; 2=delta value), the value that triggered the alarm, the configured threshold that was crossed, and the event description. Use the scroll bar at the bottom of the log to view all the information. Each log will hold only a finite number of entries, which is determined by the resources available on the device. When the log is full, the oldest entries will be replaced by new ones.

---

Related Information

For information on related windows:

• RMON Filter and Packet Capture Window