TECHZEN Zenoss User Community ARCHIVE  
FORUMS / Configuration & Administration / DISCUSSION

EventClass Mapping for eventclasskeys With Special Characters

Subject: EventClass Mapping for eventclasskeys With Special Characters
Author: Dan A
Posted: 2019-05-04 16:00

So will start out by saying that I am not 100% sure I actually understand how to override event handling as I have never been able to get them to work.  My understanding is that for a given event, if it is already being mapped to a class, I can override the behavior by adding a mapping instance to the class using the eventclasskey.  In this specific scenario, I am receiving alerts with the following attributes:

agent: zenpython
component: .NET Runtime
dedupid: CSI-SQL-01|.NET Runtime|/Win|4|
eventClass: /Win
eventClassKey: .NET Runtime_1022
eventClassMapping:  
eventGroup: Application
eventKey: 
eventState: New
evid: 0242ac11-0011-932b-11e9-6ea3620db1e8
facility: 
message: .NET Runtime version 2.0.50727.8669 - Failed to CoCreate profiler.
ntevid: 1022
priority: 
severity: 4

These events are coming from a Windows EventLog type monitoring template that is mapped to the /Win event class.  We are running Zenoss 6.2.1 r218.  

After looking into the errors, they are just noise and need to be suppressed.  I have attempted to add an Instance Mapping to /Win and then set the Configuration Property to Drop ( I have also tried doing this in the transform as well).  It is worth noting that in most cases the instance name and the eventclasskey match.  I am unsure whether this is a requirement or just standard practice, however in this case the eventclasskey (".NET Runtime_1022") contains an illegal character which is not allowed in the Instance Name (although there are "builtin" mapping instances with .Net as part of the name).

In the end, I am unable to suppress the events and I am not sure if it is because I fundamentally have misunderstood how event suppression should work or if it is due to the special character in the eventclasskey.  I will note that when the events display in the log the eventClassMapping entry is empty.

------------------------------
Dan A
SysAdmin
Scottsdale AZ
------------------------------

Subject: RE: EventClass Mapping for eventclasskeys With Special Characters
Author: Jane Curry
Posted: 2019-05-06 06:24

I think you have the correct understanding, Dan.  Let me preface my comments by saying I have done test on Zenoss 4.2.5 - but I suspect it is behaving exactly the same way as yours.

You are quite correct that the event class mapping must match the event class key field exactly for that mapping to match. My tests showed that with the leading "." the mapping worked and could be seen in the event detail, but any customisation - whether using config properties or a transform, simply failed to happen.  Remove the leading "." on the eventClassKey and the customisation worked.  I was using zensendevent to generate test events like:

zensendevent -d win_test -s Error -k ".NET Runtime_1023" -o ntevid=1022 .NET Runtime version 2.0.50727.8669 - Failed to CoCreate profiler.

So I tried creating an event subclass under /Win - WinDiscard.  Under this subclass, I created an identical event class mapping.  The mapping worked AND the customisation worked - both with Config properties and with a transform.  You can obviously have lots of different mappings under your /Win/WinDiscard subclass.  You may also need to check the Sequence configuration if an event can match several classes and/or subclasses to ensure the correct class mapping is evaluated first.

Hope that works for you.

Cheers,
Jane

------------------------------
Jane Curry
Skills 1st United Kingdom
jane.curry@skills-1st.co.uk
------------------------------

Subject: RE: EventClass Mapping for eventclasskeys With Special Characters
Author: Jay Stanley
Posted: 2019-05-09 07:54

The restriction on some special characters has been fixed in 6.3.2.

If you are running an older version, you can get around it by creating a mapping without the special character, then use an API call to change it

Example payload

[
    {
        "action": "EventClassesRouter",
        "method": "editInstance",
        "data": [
            {
                "params": {
                    "evclass": "/zport/dmd/Events/CiscoUCS/Fault",
                    "uid": "/zport/dmd/Events/CiscoUCS/Fault/instances/F0479",
                    "instanceName": "F0479",
                    "newName": "F0479",
                    "eventClassKey": "ucs|F0479",
                    "example": "",
                    "explanation": "",
                    "regex": "",
                    "rule": "(getattr(evt, 'ucs-code', '') == 'F0479' or getattr(evt, 'eventClassKey', '') == 'ucs|F0479')",
                    "resolution": "",
                    "transform": ""
                }
            }
        ],
        "type": "rpc",
        "tid": 1
    }
]


------------------------------
jstanley
------------------------------


< Previous
[Monitoring processes] zFailSeverity and count threshold in OSProcess template 		  Next
Zenoss 4 vs Zenoss 6 - Differences in architecture / Zenpack compatability etc.. ... 		>