Setting up probes to use the updated rules files

The rules files supplied with the Netcool/OMNIbus Knowledge Library adheres to a common standard and enable event correlation and causal analysis.

The RulesFile property in the properties file of the SNMP probe specifies the path to the snmptrap.rules file, which has all the contents suitable for various vendors.

Enabling the probes to use the rules file of the Netcool/OMNIbus Knowledge Library is a two-stage process that involves:

  1. Extracting the updated rules files
  2. Configuring the probes properties files

Extracting the updated rules files

The rules.tar.gz file extracted from the download contains updated rules files to support the following IBM Tivoli Netcool/OMNIbus probes:

  • SNMP probe
  • Probe for HP OpenView Network Node Manager (NNM)
  • Probe for IBM NetView
  • Syslog probe
  • Syslogd probe
Note: The updated rules files must be extracted into the specific location on each machine where these probes are installed.

To extract the rules files:

  1. From the machine(s) on which the probes are installed, extract the NcKL installation package into the relevant IBM Tivoli installation location for your platform, and set NC_RULES_HOME env variable as follows:
    Table 1. Default locations on various platforms
    Platform Default NcKL location NC_RULES_HOME
    UNIX /opt/IBM/tivoli/NcKL /opt/IBM/tivoli/NcKL/rules
    Windows C:\IBM\Tivoli\NcKL C:\IBM\Tivoli\NcKL\rules
  2. Extract the contents of the rules.tar.gz file into the default NcKL location. If working within a Windows environment, you will need a utility that can uncompress and unpack UNIX tar.gz files.
    Note: Do not use WinZip for uncompressing or unpacking the pack tar.gz files. Using WinZip creates an extracted directory structure different to the directory structure before the extraction.

By default, the files in the rules.tar.gz bundle will be extracted into a rules subdirectory - for example: /opt/IBM/tivoli/NcKL/rules on UNIX.

Note: This location is required for reference within the probe properties files and the extracted rules files. You might therefore find it useful to make a note of the path for use in later steps.

For details of the extracted rules files, see Directory structure and contents of the updated rules files.

Note: In a previous version of this guide (SC23-6386-08), AIX users of the Netcool Knowledge Library were instructed to set the LDR_CNTRL environment variable. Version 3.9 of ITNM sets this variable automatically during installation, so you must not set it manually. If you upgrade from Version 3.8 of ITNM and have set the LDR_CNTRL environment variable, you should remove the setting before installing Version 3.9.

Configuring the probes properties files

The trap-based probes supported by this installation are associated with the extracted base rules file snmptrap.rules, and the syslog-based probes are associated with the base file syslog.rules.

To configure these probes to reference their base rules files:

  1. Navigate to the location $OMNIHOME/probes/arch, where arch is the name of the platform on which the probe was installed. For example, the default location for a Solaris installation is /opt/IBM/tivoli/netcool/omnibus/probes/solaris2.

    The next two steps require details of the path into which you extracted the updated rules files.

  2. Using a text editor that is appropriate for your platform (for example, vi for Solaris and Notepad for Windows), modify the properties files listed in the table below with the specified entries. (This table shows the UNIX defaults.)
    Table 2. Required modifications to probes properties files
    Probe File name to edit Required modification (UNIX defaults)
    SNMP mttrapd.props 
    RulesFile : "/opt/IBM/tivoli/NcKL/rules/
snmptrap.rules" 
MIBFile : "" 
QuietOutput : 1
    HP OpenView NNM Version 6.x nnm6.props 
    RulesFile : "/opt/IBM/tivoli/NcKL/rules/
snmptrap.rules"
    HP OpenView NNM Version 7.x nnm7.props
    IBM NetView Version 5.x nv5.props 
    RulesFile : "/opt/IBM/tivoli/NcKL/rules/
snmptrap.rules"
    IBM NetView Version 6.x nv6.props
    IBM NetView Version 7.x nv7.props
    Syslog syslog.props 
    RulesFile : "/opt/IBM/tivoli/NcKL/rules/
syslog.rules"
    Syslogd syslogd.props

    If amending the properties files within a Windows environment, replace the UNIX RulesFile path /opt/IBM/tivoli/NcKL/rules/ with the relevant Windows path. For example: 

    RulesFile : "C:\\IBM\\Tivoli\\NcKL\\rules\\snmptrap.rules"

    Details on the supported platforms for these probes is provided within the relevant probes documentation.

  3. For the changes to take effect, you must now stop and restart the probes either automatically using process control (on UNIX) or services (on Windows), or manually from the command line. For example, you can use:
    • kill -15 to kill the process, and process control to automatically restart the probes (on UNIX)
    • The Services window to stop and start services if the probes were installed as services (on Windows)
    • CTRL+C to stop the probes, and the command nco_p_probename [ -option [ value ] ... ] to restart the probes if they were installed as console applications (on Windows)

For more information, see the IBM Tivoli Netcool/OMNIbus Probe and Gateway Guide, and the IBM Tivoli Netcool/OMNIbus Administration Guide.

Directory structure and contents of the updated rules files

The IBM Tivoli Netcool/OMNIbus Knowledge Library 4.8 installation supplies updated rules files that deliver support for various MIBs. Full details of the event sources are provided in Supported event sources.

The following files are added to the /opt/IBM/tivoli/NcKL (or equivalent platform- dependent) location as a result of the installation:

Table 3. Structure and contents of installed files
Directory Description
/rules The base IBM Netcool/OMNIbus Knowledge Library 4.8 directory which contains the base rules files (snmptrap.rules and syslog.rules) and related files.
/rules/include-common This directory contains include files that provide probe-independent logic - for example, 3GPP and TMF814 specific log, lookup table to help convert between hex, decimal, and ASCII.
/rules/include-compat This directory contains include files to activate support for various IBM Tivoli Netcool/OMNIbus Knowledge Library 4.8 features.
/rules/include-snmptrap This directory contains include files for processing events from the SNMP trap-based probes.
/rules/include-snmptrap/common-lookup This directory contains the common lookup files that any vendor can use.
/rules/include-snmptrap/generic This directory contains SNMP trap-based include files that improve the handling of enterprise-specific implementations of the generic SNMP traps.
/rules/include-snmptrap/vendor
This directory identifies the specific vendor and contains the following set of master and preclass files that improve the handling of enterprise-specific implementations of the traps specific to the vendor:
  • vendor.master.include.lookup - This file lists all the lookup files related to that vendor.
  • vendor.master.include.rules - This file lists all the rules files related to that vendor.
  • vendor-preclass.snmptrap.lookup - This file contains all the PreClassification entries related to that vendor.
  • vendor-preclass.include.snmptrap.rules - This file maps the PreClassification entries to Object Server.
  • vendor-MIB.include.snmptrap.rules - This file contains the include statement defining the path to the vendor specific rules file in the include-snmptraps directory.
  • vendor-MIB.include.snmptrap.lookup -This file contains the include statement defining the path to the vendor specific lookup file in the include-snmptraps directory.
  • vendor-MIB.user.include.snmptrap.rules - This file contains the include statement defining the path to the vendor specific rules file of the user in the include-snmptraps directory.
  • vendor-MIB.sev.snmptrap.lookup - This file lists the severity lookup files related to the vendor.
  • vendor_MIB.adv.include.snmptrap.lookup - This file contains the include statement defining the path to the vendor specific lookup file for the advanced traps in the include-snmptraps directory.
/rules/include-syslog This directory contains include files for processing events from the Syslog-based probes .
Note: This includes the Windows version of the Syslog Daemon probe (nco_p_syslogd.exe), but does not include the Winsyslog probe (nco_p_winsyslog.exe).
/rules/include-syslog/cisco-ios This directory contains Syslog-based include files for the processing of syslog messages from various Cisco syslog facilities.
/rules/include-syslog/juniper-junos

This directory contains Syslog-based include files for the processing of syslog messages from various JUNOS syslog facilities.
/rules/include-syslog/regmatch This directory contains include files that use regular expressions or other matching techniques to make a best guess at the source of an event received by the Syslog-based probe.
Note: IBM recommends that any user customizations are made within the user include files. (These are usually in the format sometext.user.include.sometext.rules, where sometext can be a reference to the event source or probe type.) In future upgrades, you can then choose to retain your existing user include files, removing the need for updating the new files with your current customizations.

Enabling the probes to use Netcool/OMNIbus Knowledge Library 4.8

Netcool/OMNIbus Knowledge Library 4.8 provides an option to use vendor specific rules files that enable correlation and causal analysis of events specific to the vendors. The following configurations make the probes use the rules file of the Netcool/OMNIbus Knowledge Library 4.8 instead of the rules file specified for Netcool/OMNIbus Knowledge Library 1.4:

  1. Open the properties file of the SNMP probe.
  2. In the RulesFile property, specify the path to the snmptrap.rules file extracted from the NcKL compressed tar file.
  3. To include a set of vendor-specific rules, uncomment the following lines from the snmptrap.rules file:

    #include “$NC_RULES_HOME/include-snmptrap/vendor/vendor.master.include.lookup"

#include “$NC_RULES_HOME/include-snmptrap/vendor/vendor.master.include.rules"

#include “$NC_RULES_HOME/include-snmptrap/vendor/vendor.preclass.include.
snmptrap.rules"

    Where vendor is the subdirectory specific to the vendor.

    For example, following is an updated and uncommented section of the snmptrap.rules file when the vendor is IBM:

    #include “$NC_RULES_HOME/include-snmptrap/ibm/ibm.master.include.lookup"

#include “$NC_RULES_HOME/include-snmptrap/ibm/ibm.master.include.rules"

#include “$NC_RULES_HOME/include-snmptrap/ibm/ibm.preclass.include.
snmptrap.rules"
  4. Restart the SNMP Probe for the probes to use the Netcool/OMNIbus Knowledge Library 4.8.
Important: Without the above configurations, the probes will only use the generic rules files and ignore the vendor specific rules files.