常见问题解答: ONTAP 9 事件管理系统概述
适用场景
ONTAP 9
问题解答
什么是 EMS 事件消息?
- EMS事件是ONTAP 9中的发生记录、默认情况下会记录在事件管理系统日志中。EMS事件消息包含多个组件、您可以在ONTAP事件目录中查看这些组件。
示例: 如何查找EMS事件消息的详细信息:
ClusterA::> event catalog show -message-name monitor.volume.nearlyFull
Message Name: monitor.volume.nearlyFull
Severity: ALERT问题描述: 如果一个或多个文件系统接近全满,通常表示至少已满 95% ,则会出现此消息。此事件还附带了针对客户的全球运行状况监控消息。空间使用量是根据活动文件系统大小计算
volume show-space的,计算方法是从 " " 命令的 " 已用 " 字段值中减去 " Snapshot 预留 " 字段的值。更正操作: 通过增加卷或聚合大小,删除数据或删除 Snapshot ( R )副本来创建空间。要增加卷的大小、请运行“
volume size”命令。要删除卷的 Snapshot ( R )副本,请运行 "" volume snapshot delete命令。要增加聚合的大小、请通过运行 ''storage aggregate add-disks 命令添加磁盘。聚合已满时,系统会自动删除聚合 Snapshot ( R )副本。SNMP Trap Type: Built-inIs Deprecated: false- 任何给定事件的唯一特征都是消息名称。在此示例中,消息名称为
monitor.volume.nearlyFull。此外、严重性为'ALERT'、与事件关联的SNMP陷阱类型为"Built-in"。 - 任何给定事件消息的严重性表示事件的预期影响。以下是严重级别列表及其含义说明:
ClusterA::> event catalog show -severity ?
EMERGENCY Disruption
ALERT Single point of failure
ERROR Degradation
NOTICE Information
INFORMATIONAL Information
DEBUG Debug information- SNMP陷阱类型在 ONTAP 9文档中心中进行了讨论
- 过去、在ONTAP 9之前、EMS事件消息会逐个配置到目标:
ClusterA::> event route show -message-name monitor.volume.nearlyFull -destinations ?
allevents
asup
criticals
pager
traphost- 最终、EMS事件消息目录不断增长、并且难以按消息进行管理、因此在ONTAP 9中实施了一个基于筛选器的更新路由事件消息系统。
- 新系统允许基于规则的事件筛选器收集要传送到事件目标的事件、方法是使用事件通知将事件筛选器与事件目标关联起来。
- 默认情况下、在安装或升级到ONTAP 9后、系统会实施事件筛选器、事件目标和事件通知的基本配置。可以通过删除事件通知来禁用默认配置、但不能修改或删除内置事件筛选器和事件目标(但可以将其复制到新的用户自定义筛选器和目标中以供进一步自定义)。
ClusterA::*> system snmp traphost show
snmp-traphost snmp - (from "system snmp traphost")
-------------- ---------- ---------------------
Name Type Destination
ClusterA::*> event notification destination show
1 default-trap-events snmp-traphost
---- ------------------------------ -----------------
ID Filter Name Destinations
ClusterA::*> event notification show
9 entries were displayed.
2 exclude * * *
1 include * * EMERGENCY, ALERT, ERROR, NOTICE
no-info-debug-events
3 exclude * * *
2 include callhome.* * ERROR
1 include * * EMERGENCY, ALERT
important-events
4 exclude * * *
*
3 include * Standard, Built-in
2 include callhome.* * ERROR
1 include * * EMERGENCY, ALERT
default-trap-events
----------- -------- --------- ---------------------- --------------- --------
Position Type
Filter Name Rule Rule Message Name SNMP Trap Type Severity
ClusterA::*> event filter show -
- 内置目标"
snmp-traphost"通过 运行命令"system snmp traphost add"链接到为存储系统配置的默认陷阱主机、或者通过OnCommand系统管理器通过类似于以下示例的URL配置此目标:
https:///sysmgr/SysMgr.html#SNMP
ONTAP 9 EMS 事件筛选器的工作原理
- 生成EMS事件消息时、系统会将其与所有已配置的EMS事件筛选器进行比较。
- EMS事件筛选器是一个规则列表、其中包括或排除任何给定EMS事件消息。系统会按顺序将每条消息与EMS事件筛选器中的规则进行比较、以寻求与规则匹配、如果出现任何匹配、则进一步的规则处理将停止。
- 每个EMS事件筛选器中的最后一个规则将匹配并排除每个事件消息。因此、如果EMS事件消息与先前的规则不匹配、则会将其从筛选器中排除。 因此、仅使用默认规则的新创建EMS事件筛选器将与任何EMS事件消息不匹配。
- 您可以创建类似于以下示例的自定义EMS事件筛选器:
ClusterA::> event filter create -filter-name Custom_Filter
ClusterA::> event filter show -filter-name Custom_Filter
Filter Name Rule Rule Message Name SNMP Trap Type Severity
Position Type
----------- -------- --------- ---------------------- --------------- --------
Custom_Filter
1 exclude * * *- 请注意、此新创建的事件筛选器会自动在位置1中包含默认规则、该规则会排除与任何条件(消息名称、SNMP陷阱类型和严重性)匹配的事件消息。这可确保筛选器不会收集任何不需要的EMS事件消息。
- 对于EMS事件消息示例,
monitor.volume.nearlyFull请创建一个规则,以便在新筛选器中收集该消息。
ClusterA::> event filter rule add -filter-name Custom_Filter -type include -message-name monitor.volume.nearlyFull
ClusterA::> event filter show -filter-name Custom_Filter Filter Name Rule Rule Message Name SNMP Trap Type Severity
Position Type
----------- -------- --------- ---------------------- --------------- --------
Custom_Filter
1 include monitor.volume.nearlyFull
* *
2 exclude * * *
2 entries were displayed.- 此规则将收集与消息名称monitor.volume.NearlyFull匹配的所有事件、 但是、如果需要收集与查询"
monitor.volume.*"匹配的所有EMS事件消息、则可以收集
2 exclude * * *
1 include monitor.volume.* * *
Custom_Filter
----------- -------- --------- ---------------------- --------------- --------
Position Type
Filter Name Rule Rule Message Name SNMP Trap Type Severity
ClusterA::> event filter show -filter-name Custom_Filter
ClusterA::> event filter rule add -filter-name Custom_Filter -type include -message-name monitor.volume.*
ClusterA::> event filter rule delete -filter-name Custom_Filter -position 1Now, our rule will collect all of these EMS Event Messages:
ClusterA::> event catalog show -message-name monitor.volume.*
Message Severity SNMP Trap Type
-------------------------------- ---------------- -----------------
monitor.volume.full DEBUG Built-in
monitor.volume.nearlyFull ALERT Built-in
monitor.volume.ok DEBUG Built-in
3 entries were displayed.- 但是,在测试中,我们决定不需要收集
monitor.volume.ok。因此、请在事件筛选器中插入一条要在前面处理的规则、以便专门排除该事件消息。这是如何完成的:
ClusterA::> event filter rule add -filter-name Custom_Filter -type exclude -message-name monitor.volume.ok -position 1
ClusterA::> event filter show -filter-name Custom_Filter Filter Name Rule Rule Message Name SNMP Trap Type Severity
Position Type
----------- -------- --------- ---------------------- --------------- --------
Custom_Filter
1 exclude monitor.volume.ok * *
2 include monitor.volume.* * *
3 exclude * * *
3 entries were displayed.- 这些示例侧重于EMS事件消息名称、但是也可以按SNMP强奸类型或严重性进行筛选。因此
Severity level ALERT,例如,如果您还希望让过滤器收集的所有事件,则可以使用该条件添加规则。
ClusterA::> event filter rule add -filter-name Custom_Filter -type include -severity ALERT
ClusterA::> event filter show -filter-name Custom_Filter
Filter Name Rule Rule Message Name SNMP Trap Type Severity
Position Type
----------- -------- --------- ---------------------- --------------- --------
Custom_Filter
1 exclude monitor.volume.ok * *
2 include monitor.volume.* * *
3 include * * ALERT
4 exclude * * *
4 entries were displayed.
什么是错误:命令失败:此规则与任何事件不匹配。输入有效规则。平均值?
示例:
ClusterA::> event filter rule add -filter-name Inodes_Events -type include -message-name wafl.vol.runningOutOfInodes -severity ALERT
Error: command failed: This rule does not match any event. Enter a valid rule.- 这意味着EMS消息的严重性类型不正确。
- 要验证:
ClusterA::> event catalog show -message-name wafl.vol.runningOutOfInodes
Message Name: wafl.vol.runningOutOfInodes
Severity: ERROR- 严重性应为error、正确的命令应为
ClusterA::> event filter rule add -filter-name Inodes_Events -type include -message-name wafl.vol.runningOutOfInodes -severity ERROR
- 有关 用于管理EMS事件筛选器的命令的详细信息,请单击以下链接: ONTAP 9文档中心。
ONTAP 9 EMS 事件通知目标的工作原理
- ONTAP 9事件通知目标控制EMS事件筛选器收集的EMS事件消息的传送。
- 目标可以是电子邮件地址、系统日志服务器、SNMP陷阱主机或REST .API服务器。
- 默认情况下、唯一的EMS事件通知目标是内置的"
snmp-traphost"、该目标不可删除、它会映射到"系统SNMP陷阱主机"中的SNMP陷阱主机配置、该配置可以单独配置(也可以根本不配置)。
ClusterA::> event notification destination show
Name Type Destination
-------------- ---------- ---------------------
snmp-traphost snmp - (from "system snmp traphost")
ClusterA::> system snmp traphost show
-- 您可以 通过运行 以下命令来创建其他自定义事件目标:
ClusterA::> event notification destination create
Usage:
[-name] Destination Name
{ [-email] Email Destination
| [-syslog] Syslog Destination
| [-rest-api-url] REST API Server URL
[[-certificate-authority] ]
Client Certificate Issuing CA
[ -certificate-serial ] }
Client Certificate Serial Number
ClusterA::> event notification destination create Custom_Destination_syslog -syslog 1.2.3.4
ClusterA::> event notification destination create Custom_Destination_email -email user@domain.com
ClusterA::> event notification destination show
Name Type Destination
-------------- ---------- ---------------------
Custom_Destination_email
email user@domain.com (via "localhost" from "admin@localhost", configured in "event config")
Custom_Destination_syslog
syslog 1.2.3.4
snmp-traphost snmp - (from "system snmp traphost")
3 entries were displayed. - 系统日志的自定义EMS事件通知目标的IP地址为1.2.3.4。
- 请注意、事件通知目标类型"EMAIRO"在圆括号中有一个注释、用于显示事件配置中配置的邮件服务器和源电子邮件地址:
ClusterA::> event config show
Mail From: admin@localhost
Mail Server: localhost
Proxy URL: -
Proxy User: -EMS 事件通知的工作原理
- EMS事件通知用于定义EMS事件筛选器中收集的有效负载与EMS事件通知目标中定义的交付目标之间的映射。
- 默认情况下、会预先配置一个EMS事件通知、以便将内置default-陷阱 事件EMS事件筛选器映射到内置的SNMP-陷阱 主机EMS事件通知目标。如果需要、可以删除此默认EMS事件通知。
ClusterA::> event notification show
ID Filter Name Destinations
---- ------------------------------ -----------------
1 default-trap-events snmp-traphost
ClusterA::> event notification delete 1
ClusterA::> event notification show
This table is currently empty.- 创建EMS事件通知时、请仅指定一个EMS事件筛选器和一个或多个EMS事件通知目标。EMS事件消息将根据电子邮件、SNMP、系统日志事件消息等类型自动转换为每个EMS事件通知目标的相应格式
ClusterA::vserver> event notification create -filter-name Custom_Filter -destination Custom_Destination_email
ClusterA::vserver> event notification create -filter-name Custom_Filter -destination Custom_Destination_syslog
ClusterA::vserver> event notification show
ID Filter Name Destinations
---- ------------------------------ -----------------
1 Custom_Filter Custom_Destination_email
2 Custom_Filter Custom_Destination_syslog
2 entries were displayed.- EMS事件筛选器可在多个EMS事件通知中引用、如果不谨慎、则可能会引入冗余:
ClusterA::vserver> event notification create -filter-name Custom_Filter -destination Custom_Destination_syslog,Custom_Destination_email
ClusterA::vserver> event notification show ID Filter Name Destinations
---- ------------------------------ -----------------
1 Custom_Filter Custom_Destination_email
2 Custom_Filter Custom_Destination_syslog
3 Custom_Filter Custom_Destination_syslog, Custom_Destination_email
3 entries were displayed.- 如果删除EMS事件筛选器、则任何对应的EMS事件通知也将被删除。
- 如果删除EMS事件通知目标、则它将自动从任何EMS事件通知中删除(如果它是最后定义的EMS事件目标、则EMS事件通知也将被删除):
ClusterA::> event notification destination delete -name Custom_Destination_syslog
Warning: The destination will be deleted from all notifications, if present. If
this was the only destination in the notification, it will be deleted
too.
Do you want to continue? {y|n}: y
ClusterA::> event filter delete -filter-name Custom_Filter
Warning: Deleting this filter will delete the notification as well.
Do you want to continue? {y|n}: y
ClusterA::> event filter delete -filter-name Custom_Filter
ClusterA::> event notification show
This table is currently empty. 追加信息
不适用