Step by step walk through on converting SNMP trap to a ServiceNOW incident?

dan_tembe · ‎02-20-2017

Hello ServiceNOW Community.

New here to ServiceNOW but a long time tools exposure around HPOV, Netcool, NNMi, etc..dev ops engineer.

I am working with a development instance of ServiceNOW where I want to integrate various diverse tools and endpoints into ServiceNOW via SNMP traps.

I know there are commercial tools that allow us to do this, but I want to research how easy or hard it is to do this with just the ServiceNOW events management dashboard. I already have tools that can perform monitoring, and want to leverage ServiceNOW event management functionality to create incidents. Getting the Traps and JSON feeds using MID server into the central ServiceNOW was very straightforward. I am stuck beyond that, getting the event mapped properly to an incident.

For now here is where I am at -

I have a dev. instance of ServiceNOW operational. I asked for and have the Events Management module functions available & enabled.

I have setup a MID server in my lab environment, which is successfully receiving SNMP Traps and forwarding them to the ServiceNOW Development instance assigned to me. I have confirmed this by checking the ServiceNOW events table (em_event). I can see the traps in the raw (?) format in the table or under all events screen. From here to getting one of the traps into event is where I need help.

I am having a hard time understanding how to map the event into a ServiceNOW incident using a rule. I see the trap gets forwarded and all the varbinds from the trap are getting up to the ServiceNOW event.

I was wondering if there is a cheat sheet or a video or a document that shows how to map a trap or event into proper severity, fields and move it into incident management. I read the wiki and all items that came up in search, but still confused. I feel that if I can do one and get it mapped from event to incident, then I can replicate the same process for the few others that I need to do the same for.

thanks in advance for your insight / help / support.

Dan

PS - for testing purposes I am sending test SNMP traps from PRTG to ServiceNOW via MID server. I have attached some screens if that helps clarify my ask.

Tony Branton · ‎02-27-2017

Hi Dan,

Here's the PRTG event integration guide I prepared not long ago. The most challenging part of the integration is obtaining curl.exe - the version in the guide may no longer be available so you may need to try others from the web site.

If this is useful be sure to mark this response as helpful and a correct answer .

View solution in original post

dan_tembe · ‎02-24-2017

Hello Tony,

Thanks! I would love to get some details, if you are able to share.

I am new to ServiceNOW so still learning the concepts and work flows. Unfortunately, with my background in enterprise monitoring, I am most comfortable with SNMP, netflow, WMI, expect scripts, CMIP, TL1 and Syslog because my past is all around SIEM & Netcool, HPOV, etc.

REST, SOAP, JSON - I am at level 1 if there was a scale of understanding going from 1 to 10.

Doing some digging around and reading up, understanding the event flow to alert to incident. I think I am fairly up to speed on the basics now. I created some rules and mapping to move the events into alerts, then auto create incidents. I tested some push notifications using JSON from command line. I would like to move executing an action in PRTG with a python or PS script that sends the variables over to my DEV service now. If you have anything that helps with this, I would greatly appreciate the help.

Here are a couple of items I am working on currently -

1) Instead of using the PRTG built in SNMP trap, I would just execute a trap with my own OID's (mostly because I can then split each Message value in a separate varbind -

so - for example - Below is a hypothetical trap that I will execute from PRTG (or some other tools which monitor IoT gateways), to the MID -

sudo snmptrap -v 1 -c B1gS3cr3t 192.168.1.214 '1.1.911' '192.193.194.195' 6 911 '' 1.1.1.1.1.1 s "Home Health Services" 1.1.1.1.1.2 s " On person BP Monitor" 1.1.1.1.1.3 s "GPS Coordinate Latitude: 32.776664" 1.1.1.1.1.4 s "GPS Coordinate Longitude: -96.796988 " 1.1.1.1.1.5 s "High Blood Pressure Detected" 1.1.1.1.1.6 s "161/84 mmHg " 1.1.1.1.1.7 s "Contact: 214-999-1234" 1.1.1.1.1.8 s "Alert Emergency Personnel"

This actually allows me to use one varbind for each field, and then map to a different field in the event rules and enrich the message as it is pushed into a alarm. Beyond that the rules are simple to create the incident.

I have done some digging around in looking at JSON to insert events into ServiceNOW by executing a command. So I can execute a python script or a shell script, and that is able to log in by creating a connection to SNOW (bypassing the MID), push data in.

I have identified the variables from the PRTG API, that i will need to send over to SNOW via a scripted action (or SNMP trap if I have to live with it). After seeing your post, I have renewed hope, you have something similar but lot more polished/better/reliable, that is actually working for you.

Anyway, just wanted you to know that I am actively pursuing my quest to learn SNOW Event Management and power of the event management, automation, de-dup, etc.., so your help is greatly appreciated.

Thanks in advance & hope to learn from your experience.

Dan

Tony Branton · ‎02-27-2017

Hi Dan,

Here's the PRTG event integration guide I prepared not long ago. The most challenging part of the integration is obtaining curl.exe - the version in the guide may no longer be available so you may need to try others from the web site.

If this is useful be sure to mark this response as helpful and a correct answer .

dan_tembe · ‎02-28-2017

Hello Tony,

Thanks! This is great. I am going to start going down this path today. Duly noted the curl is changed so will certainly match against it. This certainly does seem to be a better solution than SNMP traps. Appreciate the help, support and your thoughtful post.

Regards,

Dan

TW-SN-Alex · ‎08-30-2017

stark

Do you have any new version of this document?

I tried to use it on Dev instance and stuck on curl notification. Replaced login\pass and instance name with real names - no luck.

At the end of parameter line we have this:

-u <USER>:<PASSWORD> https://<INSTANCE_NAME>.service-now.com/api/now/table/em_event

Let's assume that my real data is like this:

"User" is "User ID" in SN which we created in a step 3: event

(it is not "User name" and it has evt_mgmt_integration role only)

Password for "event" account: PrtGInt835

Instance is: unicidev

My line will looks like this

-u event:PrtGInt835 https://unicidev.service-now.com/api/now/table/em_event

Did I miss something?

Thank you.

Tony Branton · ‎08-31-2017

If you're using Jakarta then you'll need to use the new web service endpoint and send your event in a JSON format. Here's an example that should work (just replace the USER, PASSWORD and INSTANCE-NAME text with your own values):

curl -v -H "Accept: application/json" -H "Content-Type: application/json" --data "{ \"record\":

[

{

\"source\":\"SCOM\",

\"event_class\":\"SCOM 2007 on scom.server.com\",

\"resource\":\"C:\",

\"node\":\"name.of.node.com\",

\"metric_name\":\"Percentage Logical Disk Free Space\",

\"type\":\"Disk space\",

\"severity\":\"4\",

\"description\":\"The disk C: on computer V-W2K8-dfg.dfg.com is running out of disk space. The value that exceeded the threshold is 41% free space.\",

}

]

}" -u USER:PASSWORD "https://INSTANCE-NAME.service-now.com/em_event.do?JSONv2"

Let me know how you go.