Netcool Legacy LAM
The Netcool Legacy LAM enables Moogsoft Onprem to receive data from IBM Tivoli Netcool/OMNIbus.
In its default configuration, the LAM ingests data from a default Tivoli Netcool/OMNIbus setup. The LAM can also ingest data from non-default setups through its mapping utilities.
Workflow
The workflow of gathering events from IBM Tivoli Netcool/OMNIbus and publishing it to Moogsoft Onprem is as follows:
Data received from Tivoli Netcool/OMNIbus has fields checked to identify event type (eg. Problem, Resolution), state (eg. INSERT, UPDATE, DELETE) and severity.
The Legacy LAMbot creates events (based on the LAMbot configuration), containing all the mandatory Netcool event fields, and any additional optional fields.
The LAMbot passes events to the Netcool Alert Builder for de-duplication and alert creation.
The Alert Builder passes alerts to the Netcool Alert Rules Engine for filtering, which then passes them on to Sigalisers for further processing.
The Legacy LAM processes ITNM (IBM Tivoli Network Manager) root cause and symptom events, using Configure Deterministic Alert Clustering with Cookbook to create Situations.
Before You Begin
Before you start to set up the LAM, ensure you have met the following requirements:
You have system administrator privileges in IBM Tivoli Netcool/OMNIbus.
Moogsoft Onprem is configured to allow inbound communication from IBM Tivoli Netcool/OMNIbus.
You also require the following files, all of which Moogsoft Onprem installs by default:
$MOOGSOFT/config/netcool_lam.conf
$MOOGSOFT/bots/lambots/NetcoolLam.js
$MOOGSOFT/bots/lambots/NetcoolUtility.js
$MOOGSOFT_HOME/bin/utils/netcool_lam.conf.template
In addition, Moogsoft Onprem also provides the following Moobots which you will require:
AlertBuilderNetcool.js
: Allows special handling for the 'repeatDetection
' and 'stopDeduplication
' processes.AlertRulesEngineNetcool.js
: Used to processDELETE
andREPEAT
type events.SituationMgrNetcool.js
: Creates description labels for Situations based around root cause and symptom detection, based on IBM Tivoli Network Manager parameters.
Configure IBM Tivoli Netcool/OMNIbus
Configure the socket gateway and socket map files to send data to Moogsoft Onprem.
Socket Gateway
Tivoli Netcool/OMNIbus includes a socket gateway which is able to pass data to a third party system. This permits integration with Moogsoft Onprem.
In the IBM Netcool/OMNIbus gateway configuration file, NCO_GATE.props
, configure the following:
Field | Value |
---|---|
| Hostname or IP address of the Moogsoft Onprem system. |
| Port number defined in the Legacy LAM. For example 8411. |
| The delimiter used in the data sent to Moogsoft Onprem. Set this to double pipe - || |
|
|
|
|
|
|
|
|
|
|
|
|
Socket Map Files
In socket.map
, configure the fields you want to send to Moogsoft Onprem, ensuring that no fields are set to ON INSERT ONLY
. Gateway mapping should include all the mandatory fields, and any additional optional ones (such as @NodeAlias
).
An example mapping configuration is as follows:
CREATE MAPPING StatusMap ( '' = '@Identifier', '' = '@Serial', '' = '@Node', '' = '@LocalNodeAlias', '' = '@Manager', '' = '@Agent', '' = '@AlertGroup', '' = '@AlertKey', '' = '@Severity', '' = '@Summary', '' = '@FirstOccurrence', '' = '@LastOccurrence', '' = '@Class', '' = '@OwnerUID', '' = '@Acknowledged', '' = '@ExpireTime', '' = '@SuppressEscl', '' = '@TaskList', '' = '@LocalRootObj', '' = '@RemoteNodeAlias', '' = '@RemoteRootObj', '' = '@ServerName', '' = '@ServerSerial', '' = '@StateChange', '' = '@InternalLast', '' = '@Tally', '' = '@Type', '' = '@EventId', '' = '@NodeAlias' );
Configure the LAM
Mapping Utility
You define mapping in netcool_lam.conf
. By default, the LAM maps to the data fields in a default setup of Tivoli Netcool/OMNIbus.
If ingesting data from a non-default Tivoli Netcool/OMNIbus setup, you can use the moog_netcool_lam_mapper
utility to map between Tivoli Netcool/OMNIbus data fields and Moogsoft Onprem fields.
The mapping utility can use either a Tivoli Netcool/OMNIbus map file or a log file containing event data from Tivoli Netcool/OMNIbus. Before running it, ensure you back up the existing netcool_lam.conf
file.
To use a map file with the mapping utility, enter the command and arguments as follows (the map file is socket.map
):
sh $MOOGSOFT_HOME/bin/utils/moog_netcool_lam_mapper -f socket.map -t map
To use a log file with the mapping utility, enter the command and arguments as follows (the log file is event-data.txt
):
sh $MOOGSOFT_HOME/bin/utils/moog_netcool_lam_mapper -f event-data.txt -t logfile
When running the mapping utility (using either a map file or a log file), you can also optionally set the address (using the -a
argument in the command line) and port number (using the -p
argument in the command line), as follows:
sh $MOOGSOFT_HOME/bin/utils/moog_netcool_lam_mapper -a remote_host -f socket.map -p 8455 -t map
The above example sets the address to remote_host
and the port number to 8455
.
Once the mapping utility has successfully completed, a new Legacy LAM configuration file netcool_lam.conf
is automatically generated and placed in $MOOGSOFT/config
, overwriting the existing netcool_lam.conf
.
To verify the utility's successful completion, check the Legacy LAM configuration file to ensure that the following fields are set correctly:
port: The port number on which the LAM receives data from Netcool.
address: The hostname of the system running Moogsoft Onprem. If running on-premise, the default address is
0.0.0.0
. For an on-demand service, such as Amazon Web Services, the address is likely similar toew2.234.234.compute.amazonaws.com
.mode: The operation mode in which the socket LAM runs. Ensure this is set to
SERVER
Configure for High Availability
Configure the Netcool Legacy LAM for high availability if required. See High Availability Overview for details.
Configure LAMbot Processing
The LAMbot performs the core processing of the data received from Tivoli Netcool/OMNIbus. You can edit the configuration in NetcoolLam.js
.
Configure ITNM
You can enable the processing of ITNM (IBM Tivoli Network Manager) Route Cause and Symptom events in the LAMbot. In the NetcoolLam.js
file, set the usingITNM
value to true
and ensure the @NmosCauseType
and @NmosSerial
fields are included in the event. You can then proceed with the configuration steps below.
To enable the processing of ITNM fields, apply the following configurations to $MOOGSOFT/config/moog_farmd.conf
:
In the
sig_resolution
section, uncomment the following merge group, making it available as an additional merge group:merge_groups: [ { name: "ITNM Route Causes & Symptoms", moolets: ["ITNM"], alert_threshold : 2, sig_similarity_limit : 0.65 } ],
In the
moolets
section, uncomment the ITNM Cookbook and recipe:{ # Moolet name : "ITNM", classname : "CCookbook", run_on_startup : true, metric_path_moolet : true, moobot : "Cookbook.js", #process_output_of : "AlertRulesEngine", process_output_of : "AlertBuilder", # Algorithm membership_limit : 1, scale_by_severity : false, entropy_threshold : 0, single_recipe_matching : false, recipes : [ { chef : "CValueRecipe", name : "ITNM Route Cause & Symptom Detection", description : "Root cause and Symptom alerts detected based on ITNM", recipe_alert_threshold : 1, exclusion : "custom_info.nmosCauseType = 0", trigger : "custom_info.suppressedSerial > 0", rate : 0, min_sample_size : 5, max_sample_size : 10, cook_for : 1200, matcher : { components:[ { name: "custom_info.suppressedSerial", similarity: 1.0 } ] } } ], cook_for : 1200 }
Enable the Netcool Situation Manager Moolet:
name : "SituationMgr", classname : "CSituationMgr", run_on_startup : true, metric_path_moolet : false, moobot : "SituationMgr.js", moobot : "SituationMgrNetcool.js", process_output_of : [ "ITNM", "Sigaliser", "TemplateMatcher", "Speedbird" ]
Save the Moogfarmd configuration file.
Configure Moobot Processing
Alert Builder Moobot
The Netcool Alert Builder detects whether a received event is repeating and whether to create an alert from it. This is in addition to the standard functionality of the Alert Builder.
In the Alert Builder Moobot ($MOOGSOFT/bots/moobots/AlertBuilderNetcool.js
), there are three configurable settings:
repeatDetection
If an incoming Event is an UPDATE type, repeat detection is enabled (DELETE and INSERT types cannot be repeating events). The event signature is then matched to existing alerts. If no match is found, or a match is found to a closed alert, a new alert is created. If an open alert match is found, de-duplication is carried out (see below).
Set to
true
to enable the repeat detection process, where the Netcool Alert Builder Moobot determines if newly created alerts are similar to existing alerts. To enable the repeat detection functionality, in$MOOGSOFT/config/moog_farmd.conf
, in theAlertBuilder moolet
section, apply the follow configuration:name : "AlertBuilder", classname : "CAlertBuilder", run_on_startup : true, #moobot : "AlertBuilder.js", moobot : "AlertBuilderNetcool.js",
stopDeduplication
This determines whether the repeat detection process is carried out before or after an alert is created.
Set to
true
to prevent the de-duplication process from occurring. The repeat detection process is then performed before an alert is created.Set to
false
to create a new alert based on the event that has been received. Then the repeat detection process is performed, based on the newly created alert and existing alerts. This also allows you to forward the alert to a different Moolet chain.
overwriteCustomInfo
This defines whether the custom_info is updated when updating (de-duplicating) alerts.
Set to
true
to update alerts custom_info from new event data.Set to
false
to leave alerts custom_info unchanged when an alert is updated.
If Tivoli Netcool/OMNIbus is sending Route Cause and Symptom events from ITNM (IBM Tivoli Network Manager), and using ITNM is set to to true
in the LAMbot configuration file (see LAMbot configuration above), then the alerts custom_info field must be updated when de-duplicating: set overwriteCustomInfo
to true.
AlertRulesEngine Moobot
Enable the AlertRulesEngineNetcool.js
Moobot along with the associated action states and transitions. It is used to process DELETE
and REPEAT
type alerts, determining whether they are discarded or passed onto the Sigalisers for further processing.
To do this, open the Moogfarmd configuration file and uncomment the line containing the AlertRulesEngineNetcool.js
Moobot within the AlertRulesEngine moolet
section, as shown below:
name : "AlertRulesEngine", classname : "CAlertRulesEngine", run_on_startup : true, metric_path_moolet : true, #moobot : "AlertRulesEngine.js", moobot : "AlertRulesEngineNetcool.js", #standalone : true process_output_of : "AlertBuilder"
Ensure that run_on_startup
is set to true
Save the changes.
The rules (action states and transitions) to process DELETE
and INSERT
type Alerts should be added to the Moogsoft Onprem instance by entering the following command:
sh $MOOGSOFT_HOME/bin/utils/moog_netcool_are_installer
Default Field Mapping
The following table shows the default Tivoli Netcool/OMNIbus field mappings to Moogsoft Onprem fields. These mappings are defined either in the Legacy LAM configuration file or within the LAMbot:
Netcool Field Name | Moogsoft Onprem Field Name | Data type | Mandatory |
---|---|---|---|
|
| varchar(255) | Yes |
|
| varchar(255) | Yes |
|
| incr | Yes |
|
| varchar(64) | Yes |
|
| varchar(64) | Yes |
|
| varchar(64) | Yes |
|
| varchar(64) | No |
|
| varchar(255) | Yes |
|
| varchar(255) | No |
|
| integer | Yes |
|
| varchar(255) | Yes |
|
| integer | Yes |
|
| integer | Yes |
|
| integer | Yes |
|
| integer | Yes |
|
| integer | Yes |
|
| integer | Yes |
|
| integer | Yes |
|
| integer | Yes |
|
| varchar(255) | Yes |
|
| varchar(64) | Yes |
|
| varchar(255) | Yes |
|
| varchar(64) | Yes |
|
| integer | Yes |
|
| integer | Yes |
|
| integer | Yes |
|
| integer | Yes |
|
| integer | No |
|
| varchar(255) | No |
|
| varchar(64) | No |
|
| integer | No |
|
| varchar(64) | No |
Severity Mapping
By default, severity mapping is identical to the severity values used within Tivoli Netcool/OMNIbus. You can change this if necessary under the severity
section of netcool_lam.conf
.
Start and Stop the LAM
Restart the Netcool Legacy LAM to activate any changes you make to the configuration file or LAMbot.
The LAM service name is netcoollamd
.
See Control Moogsoft Onprem Processes for the commands to start, stop and restart the LAM.