Important This version of the product has reached end of support. The documentation is available for your convenience. However, you must be logged in to access it. You will not be able to leave comments.

Managing event receivers

You can forward the events generated in TrueSight Network Automation to one or more syslog servers, defined as event receivers. The TrueSight Network Automation application server emits one syslog message per logged matching event per event receiver, in the selected format over the selected protocol.

Event attributes

You can configure the following attributes of events when forwarding them to the event receivers:

  • Event severity: You can forward events with the following severity levels:

    • CRITICAL
    • MAJOR
    • MINOR
    • WARNING
    • INFO

    Note

    You cannot forward events with the UNKNOWN severity level.

  • Event category: You can forward events with the following categories:

    • SYSTEM
    • DEVICE
    • JOB
    • USER

    Note

    You cannot forward DEBUG and EXTERNAL category events.

  • Protocol: You can choose one of the protocols to be used for forwarding messages:
    • TLS over TCP
    • UDP
  • Output message format: You can choose one of the formats in which you want the events to be presented on the event receiver:
    • RFC 5424  
    • ArcSight Common Event Format (CEF)

Message formats

While forwarding messages in RFC 5424 format, TrueSight Network Automation uses the non-transparent framing method. In this method, a syslog message is inserted into a frame and terminated with a TRAILER character. The severity levels of events in TrueSight Network Automation are mapped to the RFC 5424 priorities, as shown in the following table.

Mapping of severity levels to priorities

TrueSight Network Automation severity

RFC 5424 priority

CRITICAL

2 (Critical)

MAJOR

3 (Error)

MINOR

3 (Error)

WARNING

4 (Warning)

INFO

6 (Informational)

The categories of events in TrueSight Network Automation are mapped to the RFC 5424 facilities, as shown in the following table.

Mapping of categories to facilities

TrueSight Network Automation category

RFC 5424 facility

SYSTEM

17

DEVICE

18

JOB

19

USER

20

The following example depicts a sample message received by an event receiver as per RFC 5424 standard:

RFC 5424 message
1 2018-12-22T02:04:10.581Z tsna-mc02 EXE-TSNA - User [event@17192 threadID="1360"
severity="Info" dateTime="12/22/18 07:34:10" category="User" source="sysadmin"
event="Modified event receiver" target="hou-in-tsna-dev01" description=""] 

The events in TrueSight Network Automation are mapped to the ArcSight CEF priorities, as shown in the following table:

TrueSight Network Automation severity

ArcSight CEF Priority

CRITICAL

9

MAJOR

7

MINOR

6

WARNING

4

INFO

0

The following example depicts a sample message received by an event receiver as per ArcSight CEF standard:

1545311438125 josmith-W1.example.com CEF:0|EXE|TSNA|8.9.04|3195|Job|7|msg=threadID\=22897
severity\=Major dateTime\=12/20/18 18:40:38 category\=Job source\=Populate Cisco Device Board Models
and their End of Life Date event\=External script execution completed with error target\=null
description\=Script execution failed: log4j:WARN No appenders could be found for logger
(org.apache.http.client.protocol.RequestAddCookies).

The following topics describe how to add, edit, or view an event receiver:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*