Raw event
normalization
Raw events are passed to
VMware Smart Assurance
NOTIF through
adapters after being normalized
into a common structure.
This structure provides the required basic event information and additional
data used for further processing. The format of the data stream is
a pipe-separated ("|") string as shown below: <eventTimeStamp>|<eventAgent>|<eventBaseID>|<eventSub1ID>|<eventSub2ID>|<Keyword1|Value1>|<Keyword2|Value2>.....
The pipe-separated data stream includes the following
information:
- eventTimeStamp — Event occurrence time in UNIX time format; seconds since the Epoch
- eventAgent — Agent name or IP address
- eventBaseID —dot-separated hierarchical identifier string (abc.123.XYZ….)
- (for example, enterprise for SNMP)
- eventSub1ID — General identifier (generic trap number for SNMP)
- eventSub2ID — Specific identifier (specific trap number for SNMP)
- Keyword1|Value1 — Keyword|value pair (OID1|value for SNMP)
- Keyword2|Value2 — Keyword|value pair (OID2|value for SNMP)The eventBaseID, eventSub1ID, and eventSub2ID parameters are used as the unique event identifiers to match with ECI objects. The number of Keyword|Value pairs is variable. Event IDs may use all three fields, the first two, or only the eventBaseID; it depends on the raw events being processed.For specific adapters, the adapter documentation provides details to obtain information on the composition of the ID strings and the Keyword|Value pair mapping.VMware Smart AssuranceNOTIF replaces pipe character ("|") in field.(varbind) by double dashes ("--") to process the raw event.