Space banner This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.

Managing event receivers

You can forward the events generated in TrueSight Network Automation to one or more syslog servers, defined as event receivers. The Network Automation application server emits one syslog message per logged matching event per event receiver, in the selected format over the selected protocol. 

Event attributes

You can configure the following attributes of events when forwarding them to the event receivers:

  • Event severity: You can forward events with the following severity levels:

    • CRITICAL
    • MAJOR
    • MINOR
    • WARNING
    • INFO

    Note

    You cannot forward events with the UNKNOWN severity level.

  • Event category: You can forward events with the following categories:

    • SYSTEM
    • DEVICE
    • JOB
    • USER

    Note

    You cannot forward DEBUG and EXTERNAL category events.

  • Protocol: You can choose one of the protocols to be used for forwarding messages:
    • TLS over TCP
    • UDP
  • Output message format: You can choose one of the formats in which you want the events to be presented on the event receiver:
    • RFC 5424  
    • ArcSight Common Event Format (CEF)

Message formats

While forwarding messages in RFC 5424 format, Network Automation uses the non-transparent framing method. In this method, a syslog message is inserted into a frame and terminated with a TRAILER character. The severity levels of events in Network Automation are mapped to the RFC 5424 priorities, as shown in the following table.

Mapping of severity levels to priorities

Network Automation severity

RFC 5424 priority

CRITICAL

2 (Critical)

MAJOR

3 (Error)

MINOR

3 (Error)

WARNING

4 (Warning)

INFO

6 (Informational)

The categories of events in Network Automation are mapped to the RFC 5424 facilities, as shown in the following table.

Mapping of categories to facilities

Network Automation category

RFC 5424 facility

SYSTEM

17

DEVICE

18

JOB

19

USER

20

The following example depicts a sample message received by an event receiver as per RFC 5424 standard:

RFC 5424 message
<166>1 2018-12-22T02:04:10.581Z tsna-mc02 EXE-TSNA - User [event@17192 threadID="1360"
severity="Info" dateTime="12/22/21 07:34:10" category="User" source="sysadmin"
event="Modified event receiver" target="hou-in-tsna-dev01" description=""] 

The events in Network Automation are mapped to the ArcSight CEF priorities, as shown in the following table:

Network Automation severity

ArcSight CEF Priority

CRITICAL

9

MAJOR

7

MINOR

6

WARNING

4

INFO

0

The following example depicts a sample message received by an event receiver as per ArcSight CEF standard:

ArcSight CEF message
1545311438125 josmith-W1.example.com CEF:0|EXE|TSNA|20.02|3195|Job|7|msg=threadID\=22897
severity\=Major dateTime\=12/22/21 18:40:38 category\=Job source\=Populate Cisco Device Board Models
and their End of Life Date event\=External script execution completed with error target\=null
description\=Script execution failed: log4j:WARN No appenders could be found for logger
(org.apache.http.client.protocol.RequestAddCookies).

Mapping of the Events page to syslog message attributes

A syslog message generated for an event contains name/value pairs of the attributes corresponding to the UI columns present on the Events page for the event.

For example, the following figure shows an event on the Events page: 

EventFields.png

The following example depicts the syslog message generated as per RFC 5424 standard for the event shown in the preceding figure:

RFC 5424 message
<166>1 2020-08-02T08:24:00.889Z tsna-mc02 BMC-TSNA - User [event@17192 threadID="2058284"
severity="Warning" dateTime="08/02/20 13:54:00" category="System" source="sysadmin"
event="Device import completed with errors" target="devices.bat" description="Check source file format
 and name, and file contents: Error exception: File not found exception:
C:\BCA-Networks-Data\devices\devices.dat (The system cannot find the file specified)"]"

The following example depicts the syslog message generated as per ArcSight CEF standard for the event shown in the preceding figure:

ArcSight CEF message
1596356640000 tsna-mc02 CEF:0|BMC|TSNA|20.02|17192|System|4|msg=threadID\=2058284
severity\=Warning dateTime\=08/02/20 13:54:00 category\=System source\=sysadmin
event\=Device import completed with errors target\=devices.bat
description\=Check source file format and name, and file contents: Error exception:
File not found exception: C:\BCA-Networks-Data\devices\devices.dat
(The system cannot find the file specified)

The columns on the Events page are mapped to the message attributes as follows:

UI Column

Message Attribute

Thread ID

threadID

Severity

severity

Date/Time

dateTime

Category

category

Source

source

Event

event

Target

target

Description

description

Where to go from here

To add or edit an event receiver, see Adding-or-editing-event-receivers.

To view the list of event receivers, see Viewing-the-event-receivers-listing.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*