Raw event normalization

Raw events are passed to
VMware Smart Assurance
NOTIF through adapters after being
normalized
into a common structure. This structure provides the required basic event information and additional data used for further processing. The format of the data stream is a pipe-separated ("|") string as shown below:
<
eventTimeStamp
>|<
eventAgent
>|<
eventBaseID
>|<
eventSub1ID
>|<
eventSub2ID
>|<
Keyword1
|
Value1
>|
<
Keyword2
|
Value2
>.....
The pipe-separated data stream includes the following information:
  • eventTimeStamp — Event occurrence time in UNIX time format; seconds since the Epoch
  • eventAgent — Agent name or IP address
  • eventBaseID —
    dot
    -separated hierarchical identifier string (abc.123.XYZ….)
  • (for example, enterprise for SNMP)
  • eventSub1ID — General identifier (generic trap number for SNMP)
  • eventSub2ID — Specific identifier (specific trap number for SNMP)
  • Keyword1|Value1 — Keyword|value pair (OID1|value for SNMP)
  • Keyword2|Value2 — Keyword|value pair (OID2|value for SNMP)
    The eventBaseID, eventSub1ID, and eventSub2ID parameters are used as the unique event identifiers to match with ECI objects. The number of Keyword|Value pairs is variable. Event IDs may use all three fields, the first two, or only the eventBaseID; it depends on the raw events being processed.
    For specific adapters, the adapter documentation provides details to obtain information on the composition of the ID strings and the Keyword|Value pair mapping.
    VMware Smart Assurance
    NOTIF replaces pipe character ("|") in field.(varbind) by double dashes ("--") to process the raw event.