8 event and alarm management, Event and alarm overview, 8 event and alarm – H3C Technologies H3C Intelligent Management Center User Manual

641

8 Event and alarm management

IMC includes in its feature set the ability to manage events or faults and their resolutions in real time. This

chapter explains traps and Syslog entries as sources of events in IMC that become alarms. It also covers

browsing and filtering traps and Syslog events and the processes for defining which traps IMC processes.
This chapter also explains views that IMC offers for browsing the alarms generated by IMC. This includes

how to query for alarms, and the processes for sending alarms into email and SMS text notifications and

alarm forwarding to help desk and other management systems.

Event and alarm overview

In IMC, an event is an incident of interest in the network infrastructure. An event could indicate a failure

or fault on a network device. An event could also indicate a resolution of fault in the network. Or an event

can be informational. An alarm is an event that has been escalated in IMC for viewing by an IMC

operator, network administrator or support team using one of the IMC alarm browser views.
IMC can receive SNMP traps and Syslog entries as real time alarm sources. You can configure all devices

in the network infrastructure to send traps to IMC when issues arise and when issues are resolved. In

addition, you can configure all devices to forward specified Syslog messages to IMC for notification of

faults or their resolutions.
IMC can be a source of traps for events. IMC generates traps that are displayed in IMC when events arise
for managed devices such as when performance thresholds are exceeded, when IP address conflicts

arise, or when configuration management tasks do not complete. In addition, the IMC system is also a

managed device and traps can also be generated by IMC when a condition arises within IMC such as

high CPU utilization, disk space issues, or IMC process issues on the IMC server.
In addition, IMC has a built in engine for polling configured devices for performance metrics. System and

user defined thresholds translate a polling result into an event, whether the event is a fault or its resolution.
IMC itself is a source of events. IMC generates events for IMC.
Each of these three sources of events (traps, Syslog events, performance polling) in the network
infrastructure serves as inputs for alarms in IMC. System and user defined rules determine which of the

events generated by these three sources become an alarm.
Alarms take the form of entries into alarm browser views in IMC. They also can be escalated into alarm

notifications through email, SMS text messaging, or alarm forwarding to help desk and other
management systems.
Once an event becomes an alarm, it is written to the alarm database. There are two ways to remove an

alarm from IMC views and further notifications.
The first and preferred option for removing an alarm from the view and further notifications is to clear or
recover the event. Clearing an event or removes the event from Real-Time Alarms and Root Alarms views

though recovered alarms can still be viewed in the All Alarms view. Alarms that have been recovered are

removed from the database according to the Data Export configuration. When an event is recovered,

IMC includes the date and timestamp so that the duration of the event is recorded. This information can

be valuable for measuring the duration of a fault or event. Clearing or recovering an event is the
preferred method for removing an alarm from alarm views. Clearing or recovering an alarm does not

mean that the actual fault or error condition has been resolved.