Configuring a policy in TrueSight Network Automation to correlate a recent NMS event with a configuration change
This topic provides an example of how to configure a policy that sends a Change Summary report via email whenever an Entuity Network Analytics device event occurs within two hours after a change has occurred on that device.
To add a policy condition keyword
- Log on to TrueSight Network Automation.
- Select Policies > Keywords.
- Click Add to add a new Keyword.
In the Add Keyword page, select the options and enter values as shown in the following table:
Field
Action
Name
Enter Entuity Device Event.
Type
Select Event (the default).
Severity
Select all options.
Category
Select External.
Event
Select Any (the default).
Search String
Enter EYE Group ID:8.
- Click Add.
The Add Keyword page should look like the following example:
Click Save.
To add a policy condition
- Choose Policies > Conditions.
- Click Add to add a new condition.
- In the Name field, enter Entuity Device Event Now.
- In the Keyword field, select Entuity Device Event.
- Select the Triggering Condition option.
- In the Network Span section, select Entire Network.
- Click Save.
- Choose Policies > Conditions.
- Next to the factory installed condition, Change Detected Past, click the Copy
icon. - In the Name field, enter Change Detected Past 2 Hours.
- Leave the Keyword field set to Changed Detected.
- Leave the Triggering Condition option unselected.
- Leave the Network Span field set to Same as Triggering Device.
- Change the Duration field to Last 2 Hours.
- Leave the Occurrence Count field set to 1.
- Modify the Description field to say something similar to the following:
A configuration change was detected in the past 2 hours.
The page will look similar to the following example:
- Click Save.
To add a policy
- Choose Policies > Policies.
- Click Add to add a new Policy.
- In the Name field, enter Entuity Device Event and Recent Change.
- In the Type field, select Event Based.
- Select the Enabled option and leave the rest of the fields on this tab at their defaults.
- Click the Conditions tab.
- In the Triggering Condition field, select Entuity Device Event Now.
- For the first Other Condition(s), select Change Detected Past 2 Hours.
The screen will look similar to the following example:
- Click the Actions tab.
- Select Add Action and choose Notifications > Send Email.
- In the Annotation field, enter something like Entuity Device Event and Recent Change.
- In the To field, specify email recipients.
- In the Report field, select Change Summary Report.
- Leave the Include Link option selected.
- Select the Include Attachment option.
- Select your attachment format (that is, PDF).
- Select the Include All Details option.
- In the Network Span field, select Same as Triggering Device.
- Select the Include Events option.
- Leave the Configuration field set to Running.
- Leave the Time Period field set to Last 2 Hours.
The page will look similar to the following example:
- Click OK.
- Click Save.
To test this policy, make a change to a device that will cause some device events to be generated. For example, remove Entuity Network Analytics from the SNMP access control list. Note that the report was generated because the SNMP Not Responding event occurred within 2 hours after a change was made on the device.
Network Automation sent the report out automatically when this occurred. The report includes the following information:
- Who made the change
- When the change was made
- What device was changed
- What the change consisted of: (for example, 172.21.127.10 pulled from ACL 40)
- Device events that occurred as a result of the change: SNMP Not Responding
ACL 40 is the list that manages SNMP access. This report tells Network Operations that 172.21.127.10 needs to be returned to the list.