Interface admin/operationally down events

Question

OK.&nbsp; So I'm fairly new to modifying events in SL1, but our NOC has requested that we research suppressing the "Poller: Interface operationally down" event if "Poller: Interface Admin down" is active on a given interface.&nbsp; That makes perfect sense to me.&nbsp; If an interface is admin down, then there is absolutely no need for the operationally down event/alert.&nbsp; Other tools I have administered in the past had this logic baked in out of the box, but that doesn't seem to be the case with SL1.&nbsp; I looked at using the Autoclear option for the Admin down event to have it clear the operationally down message, but I'd much rather just not have the operationally down event trigger at all if the interface is admin down.Any thoughts on how to get this configured?&nbsp; Thank you.

bryanharding · Answer

SL1 event "suppression" is a configuration of event policies such that if this event occurs again on specific device(s), that an active event record will not be created. The conditional if/else logic to which you refer is not a feature of the SL1 event engine whereby an event would only be created based off of the existence, or not, of other active events.&nbsp;
SL1 will actively mask events that are newer and equal or less severe generated on the same device in 10min buckets by default (Event Masks). This feature inherently "hides" such event noise from event tables and can be set to be excluded from Run Book Automation. Can you elaborate on what impact or objective you are currently aiming to address by conditionally "suppressing" the operationally down event? What problem(s) or impact is this currently having for your operations?

jbovee · Answer

By default, the "Poller: Interface Admin down" event has a severity level of Notice (which is appropriate given that condition requires a manual configuration change). The "Poller: Interface operationally down" event has a severity level of Major. Any time an interface is administratively brought down, it also brings it operationally down (down/down). Since the operationally down condition is a higher severity level than the admin down condition, it is not being suppressed. This is the situation where the operationally down events are essentially causing false positives for our NOC. They have procedures in place to respond to all operationally down messages (up/down), and the ones being generated due to a network admin administratively bringing down the interface is essentially a big waste of time. When it comes to interface states, the current logic in SL1 just appears to be flawed. What we really need is the following:

Interface up/up = healthy
Interface up/down = major
Interface down/down = notice

Forum Discussion

Interface admin/operationally down events

Related Content

ScienceLogic PowerHour - Interface Monitoring – SL

Suppress a syslog event on a specific interface

PowerHour - Optimizing Event Management – SL1

Support Video: Event Management Overview

Extend Internal Interface collection

Recent Discussions

Topology for SNMP device and pingable

Collector filestore DB size

Cisco Intersight PPK - metrics?

Equinix Powerpack?

SSL Certificate monitoring via UDP/TCP ports tab