To enter the event management system, an event must contain values for the device, severity, and summary fields. Resource Manager rejects events that are missing any of these fields.
Basic event fields are as follows:
- Event Class Key
- Event Class
Events include numerous other standard fields. Some control how an event is mapped and correlated; others provide information about the event.
The device field is a free-form text field that allows up to 255 characters. Resource Manager accepts any value for this field. If the device field contains an IP address or a hostname, then the system will automatically identify and add the event to the corresponding device.
Resource Manager automatically adds information to incoming events that match a device. Fields added are:
- prodState - Specifies the device's current production state.
- Location - Specifies the location (if any) to which the device is assigned.
- DeviceClass - Classifies the device.
- DeviceGroups - Specifies the groups (if any) to which the device is assigned.
- Systems - Systems (if any) to which the device is assigned.
- DevicePriority - Priority assigned to the device.
The Status field defines the current state of an event. This field is often updated after an event has been created. Values for this numeric field are 0-6, defined as follows:
|0||New||Initial state upon creation|
|1||Acknowledged||A user has seen and marked the event|
|2||Suppressed||A transform has suppressed the event|
|3||Closed||A user action has closed the event|
|4||Cleared||A corresponding clear event has cleared the event|
|5||Dropped||A transform has dropped an event, so the event it not persisted|
|6||Aged||Automatically closed because of the severity and last seen time values|
The following table maps event severity levels to their labels and colors.
Summary and message fields
The summary and message fields are free-form text fields. The summary field allows up to 255 characters. The message field allows up to 4096 characters. These fields usually contain similar data.
The system handles these fields differently, depending on whether one or both are present on an incoming event:
- If only summary is present, then the system copies its contents into message and truncates summary contents to 128 characters.
- If only message is present, then the system copies its contents into summary and truncates summary contents to 128 characters.
- If summary and message are both present, then the system truncates summary contents to 128 characters.
As a result, data loss is possible only if the message or summary content exceeds 65535 characters, or if both fields are present and the summary content exceeds 128 characters.
To ensure that enough detail can be contained within the 128-character summary field limit, avoid reproducing information in the summary that exists on other fields (such as device, component, or severity).
The following table lists additional event fields.
|dedupid||Dynamically generated fingerprint that allows the system to perform de-duplication on repeating events that share similar characteristics.|
|component||Free-form text field (maximum 255 characters) that allows additional context to be given to events (for example, the interface name for an interface threshold event).|
|eventClass||Name of the event class into which this event has been created or mapped.|
|eventKey||Free-form text field (maximum 128 characters) that allows another specificity key to be used to drive the de-duplication and auto-clearing correlation process.|
|eventClassKey||Free-form text field (maximum 128 characters) that is used as the first step in mapping an unknown event into an event class.|
|eventGroup||Free-form text field (maximum 64 characters) that can be used to group similar types of events. This is primarily an extension point for customization. Currently not used in a standard system.|
|stateChange||Last time that any information about the event changed.|
|firstTime||First time that the event occurred.|
|lastTime||Most recent time that the event occurred.|
|count||Number of occurrences of the event between the firstTime and lastTime.|
|prodState||Production state of the device, updated when an event occurs. This value is not changed when a device's production state is changed; it always reflects the state when the event was received by the system.|
|agent||Typically the name of the daemon that generated the event. For example, an SNMP threshold event will have zenperfsnmp as its agent.|
|DeviceClass||Device class of the device that the event is related to.|
|Location||Location of the device that the event is related to.|
|Systems||Pipe-delimited list of systems that the device is contained within.|
|DeviceGroups||Pipe-delimited list of systems that the device is contained within.|
|facility||Only present on events coming from syslog. The syslog facility.|
|priority||Only present on events coming from syslog. The syslog priority.|
|ntevid||Only present on events coming from Windows event log. The NT Event ID.|
|ownerid||Name of the user who acknowledged this event.|
|clearid||Only present on events in the archive that were auto-cleared. The evid of the event that cleared this one.|
|DevicePriority||Priority of the device that the event is related to.|
|eventClassMapping||If this event was matched by one of the configured event class mappings, contains the name of that mapping rule.|
|monitor||In a distributed setup, contains the name of the collector from which the event originated.|
In addition to the standard fields, the system also allows events to add an arbitrary number of additional name/value pairs to events to give them more context.