The current Event Storm Suppression in OBM/OMi is much less versatile than the Event Suppression Filter (ESF) feature in the legacy OML 9.2X.
Before 2018.11, the Event Storm Suppression in OBM only allowed to suppress storms of events coming from the same source node when they exceeded a rate.
In OBM 2018.11, the Event Storm Suppression feature has been improved to, in addition, allow to suppress storms of events with the same related CI. This is a very useful improvement. For example, when the events come from an NNMi system, end network devices are the ones that will most be sending storms, but all the events come from a single node, the NNMi system. This change helps in this situation, since we do not want to block the whole NNMi system, only the end network devices that generate too many events.
But still, the Event Storm Suppression is not versatile enough. For example, it is common to deploy a buggy policy to hundreds of nodes and suddenly getting thousands of events from thousands of nodes, and Event Storm Suppression would not detect this because the events come from different nodes and even different related CIs. Also, for example, it could happen that all the Linux systems get a kernel patch, that kernel patch generates 20 several events in syslog and a policy to match kernel problems in all your thousands of nodes would generate an important event storm without a common node or related CI.
In the legacy OM world, the Event Suppression Filter (ESF) provided a very fine storm control. It was possible to define "gates" to define how a given storm should be detected. This is a sample "gate":
We can see that we could define that the Event Storm filter for "Network" would be applied on events with the same Customer, Application and MsgType and with the "MsgGroup=Network". But we could also use other fields (Node, Object, Message Text) to define what we would consider an Event Storm and how to react to it.
I would like to see a feature as rich as OML's ESF in OBM that would allow us to categorize types of potential Event Storms and how to react to them. I would specially would like to see the capability to categorize event storms per source policy and category, but if possible, we should have additional fields to choose, like with OM's ESF.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.