Step by step walk through on converting SNMP trap to a ServiceNOW incident?

dan_tembe · ‎02-20-2017

Hello ServiceNOW Community.

New here to ServiceNOW but a long time tools exposure around HPOV, Netcool, NNMi, etc..dev ops engineer.

I am working with a development instance of ServiceNOW where I want to integrate various diverse tools and endpoints into ServiceNOW via SNMP traps.

I know there are commercial tools that allow us to do this, but I want to research how easy or hard it is to do this with just the ServiceNOW events management dashboard. I already have tools that can perform monitoring, and want to leverage ServiceNOW event management functionality to create incidents. Getting the Traps and JSON feeds using MID server into the central ServiceNOW was very straightforward. I am stuck beyond that, getting the event mapped properly to an incident.

For now here is where I am at -

I have a dev. instance of ServiceNOW operational. I asked for and have the Events Management module functions available & enabled.

I have setup a MID server in my lab environment, which is successfully receiving SNMP Traps and forwarding them to the ServiceNOW Development instance assigned to me. I have confirmed this by checking the ServiceNOW events table (em_event). I can see the traps in the raw (?) format in the table or under all events screen. From here to getting one of the traps into event is where I need help.

I am having a hard time understanding how to map the event into a ServiceNOW incident using a rule. I see the trap gets forwarded and all the varbinds from the trap are getting up to the ServiceNOW event.

I was wondering if there is a cheat sheet or a video or a document that shows how to map a trap or event into proper severity, fields and move it into incident management. I read the wiki and all items that came up in search, but still confused. I feel that if I can do one and get it mapped from event to incident, then I can replicate the same process for the few others that I need to do the same for.

thanks in advance for your insight / help / support.

Dan

PS - for testing purposes I am sending test SNMP traps from PRTG to ServiceNOW via MID server. I have attached some screens if that helps clarify my ask.

Tony Branton · ‎02-27-2017

Hi Dan,

Here's the PRTG event integration guide I prepared not long ago. The most challenging part of the integration is obtaining curl.exe - the version in the guide may no longer be available so you may need to try others from the web site.

If this is useful be sure to mark this response as helpful and a correct answer .

View solution in original post

Goran WitchDoc · ‎02-20-2017

Hi,

I haven't done enormous amount of work in this area, but I think what you are looking for is a alert rule. from here you can for example automatically create an incident from an alert. For putting the right values in fields, I think the task template might be a good starting point.

Docs: Create or edit an alert rule

//Göran

dan_tembe · ‎02-21-2017

Hello Goran,

Thanks for the link. I reviewed the alerting rule creation.

I think I really need to either shadow someone do this with another alarm or event to be able to understand. Most likely I will just look into training. The mapping seems simple but when I tried creating various templates, using the events from the trap, the events matched the template but the result was not as expected. This is certainly a gap in my own understanding of the event workflow.

Do appreciate your response.

Thanks!

Dan

dan_tembe · ‎02-22-2017

Hello,

I was finally able to take a PRTG SNMP Trap, evaluate severity based on a value in a trap varbind, and then transform the event into an alert.

Hope this helps someone who is working on this type of SNMP to Alert conversion using just the MID server, and SNOW Event Management.

Few key items that helped me.

1) Goran's link to event management. I read through. I am sure I missed a lot but what stuck in my head helped a lot.

2) The link to event management and pictures of process / workflow is what helped me the most. This helped me visualize the flow of the events that enter SNOW event management.

3) Mapping severity required event field mapping. This requires that the source matches the source in event rules menu. I could not get the event field mapping to work without the source in event rules matching, so this is an assumption on my part but something based on my testing. <- someone who actually knows can correct me.

4) "message_key" is critical to ensure that only the right traps are de-duplicated under the same alert.

5) Attached is a complete screen caps from my start to end which shows the traps coming into SNOW event management to alerts creation.

Next steps will be integrating all our other tools in the dev. environment. I am sure, I will be posting more questions here as I come across additional questions/roadblocks.

Goran - Thanks again for your response. It gave me the push I needed to study and look at the document with a fresh set of eyes.

Best Regards,
Dan

Tony Branton · ‎02-24-2017

Hi Dan,

I've integrated PRTG with ServiceNow Event Management using the REST API (no MID Server needed) and found this to be significantly easier than using SNMP. If you're interested in the integration let me know and I'll provide a cookbook detailing the pre-requisites and steps.

ServiceNow Community servicenow community

Step by step walk through on converting SNMP trap to a ServiceNOW incident?