...
Event Property | Description | Example |
eventid | A globally unique Event ID | |
| Unix time of the event (seconds since 1970). | 1385076573 |
| The event time in human readable format | 2013-11-11T13:39:41 |
| The name of the node in question. Normally the same as the NMIS node name. | |
| The DNS hostname or IP address of the node in question, as extracted from the input data. | |
| Name of the event | Node Down, Node Up |
| What element of the node the event refers to. Optional. | FastEthernet1, Neighbor 1.2.4.5 |
| Is the state good or bad, up or down. | up/down, open/closed, etc |
| Name of the stateful object. Optional, but always present if | Node, Interface, OSPF Neighbor |
| Other event details | |
| Where did the event originate? | cisco_syslog, trap, NMIS, (remote) API |
| Has the event been marked for escalation? | 0 or 1 |
priority | opEvents priority level, see opEvents priority levels vs. NMIS and Syslog levels | 0 to 10 |
| Has the event been acknowledged? | 0 or 1 |
| Is this event a flap? | 0 or 1 |
action_required | Should the GUI show the event as open? Only present in opEvents versions up to (and including) 2.0.3. | 0 or 1 |
Optional but Common Properties
...
Event Property | Description | Example |
---|---|---|
interface_description | The ifAlias (or Description) of the interface in question
| |
authority | The server name of the system that originated the event; Optional, only relevant for remotely/API-generated events. | |
location | The URI for this event at the originating server. Optional, only relevant for remotely/API-generated events. | |
duplicateof | list of Event IDs that this one is a duplicate of | |
nodes | lists nodes that caused this synthetic event | |
eventids | list of Event IDs that were involved in causing this synthetic event. In opEvents 2.0.3 and newer this is also set for relationships between events, e.g. for auto-acknowledged events the up event lists the down event's id here and vice versa | |
| Unix time, until then the event is held back from processing for actions and policies | 1385079231 |
action_checked | Has the event been processed wrt. actions and policies? | 0 or 1 |
<scriptname>.output | If an event triggered a script action that is set to save, then the script output is stored in this property. | |
synthetic | whether this event was created by a correlation policy action, or because a watchdog expired | 0 or 1 |
watchdog | whether this is a watchdog expiration event | 0 or 1 |
escalation_age | If the event is or was subject to escalation, then this property indicates the event's most recent escalation threshold. Note that this property is not cleared when the event is acknowledged and escalation terminates. | 60, 900 etc. |
escalation_policy | If the event is or was subject to escalation, then this property lists the event's most recently active escalation policy name. Like the previous property, this one persists after escalation terminates. | |
notes | a list of originator- and time-tagged comments for this event (optional, supported in opEvents 2.0 and newer) | |
tag_ <anything> | These enrichment tags are controlled by your action policy, and have no special meaning - with the exception of tag_kb_topic , which controls linking to online sources (in opEvents 2.0.2 and up), - and tag_servicePriority , which is shown with the event priority if present(only in opEvents 2.0.4 and up) | |
status_history | A structured record of changes and activities related to the event. |
Node vs. Host, and how opEvents handles inconsistent input data
...