From 80d823d58b4ba8e7af1a822659a20f2035c2131d Mon Sep 17 00:00:00 2001
From: gitea <znup@MacBook-Pro.local>
Date: Tue, 24 Feb 2026 10:34:50 +0100
Subject: [PATCH] commit last 2

---
 events.md | 203 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 203 insertions(+)
 create mode 100644 events.md

diff --git a/events.md b/events.md
new file mode 100644
index 0000000..ae62683
--- /dev/null
+++ b/events.md
@@ -0,0 +1,203 @@
+# ServiceNow event additional_info: Raw vs MIB-translated
+
+This document shows **additional_info** from selected events in `test_events_servicenow.xml`, with OIDs translated to MIB names from **ADVA-FSP3000ALM-MIB.txt**. All events use the ALM subtree (2544.1.14 = fsp3000alm).
+
+---
+
+## OID → MIB name mapping (used in translations)
+
+| Raw OID suffix (2544.1.14.*) | MIB name (fsp3000alm subtree) |
+|-----------------------------|-------------------------------|
+| **.0.X** | **trap.***trapName* (e.g. trap.alarmLinkBudgetExceeded for X=14) |
+| .1.1.1.3.1.X | alarm.alarmTable.alarmEntry.alarmSeverity.1.*X* (alarm type *X*) |
+| .1.2.1.3.1.X | alarm.alarmSeverityTable.alarmSeverityEntry.alarmSeverityValue.1.*X* |
+| .1.4.1.2.X | alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.*X* |
+| .2.2.1.4.1 | device.portTable.portEntry.portName.1 |
+| .2.2.1.5.1 | device.portTable.portEntry.portAidString.1 |
+| .3.11.1.4.1.1 | measurement.measurementAutoFaTable.measurementAutoFaEntry.measurementAutoFaFaultPos.1.1 |
+| .4.2.1.2.X | eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.*X* |
+| .4.2.1.4.X | eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.*X* |
+| .5.8.1 | system.advaSecurity.authTrapUserName |
+| .5.8.2 | system.advaSecurity.authTrapLctIp |
+| .5.8.3 | system.advaSecurity.authTrapStatus |
+| .5.8.4 | system.advaSecurity.authTrapSessionId |
+| .5.8.5 | system.advaSecurity.authTrapProtocol |
+| sysUpTime | sysUpTime (standard) |
+| int_ev_type | int_ev_type (probe/internal) |
+| snmpTrapOID | snmpTrapOID (trap PDU OID) |
+
+Trap numbers (**.0.X**) map to names per ALM MIB, e.g. 9=alarmFaRunning, 14=alarmLinkBudgetExceeded, 41=transientFaStarted, 42=transientFaCompleted, 44=transientFaSaved, 62=authenticationNotification.
+
+---
+
+## Event 1 — authenticationNotification (trap 62)
+
+| Raw (additional_info keys) | Translated (MIB names) |
+|----------------------------|-------------------------|
+| iso...2544.1.14.5.8.1 = "admin" | **system.advaSecurity.authTrapUserName** = "admin" |
+| iso...2544.1.14.4.2.1.4.194 = "SHMON-1" | **eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.194** = "SHMON-1" |
+| sysUpTime = "472 days, 20:30:46.82" | sysUpTime = "472 days, 20:30:46.82" |
+| iso...2544.1.14.5.8.4 = "web/0" | **system.advaSecurity.authTrapSessionId** = "web/0" |
+| iso...2544.1.14.5.8.5 = "8" | **system.advaSecurity.authTrapProtocol** = "8" |
+| iso...2544.1.14.5.8.2 = "10.24.11.251" | **system.advaSecurity.authTrapLctIp** = "10.24.11.251" |
+| iso...2544.1.14.5.8.3 = "5" | **system.advaSecurity.authTrapStatus** = "5" |
+| iso...2544.1.14.4.2.1.2.194 = "2026-02-23 10:57:03" | **eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.194** = "2026-02-23 10:57:03" |
+| int_ev_type = "SNMP" | int_ev_type = "SNMP" |
+| iso...2544.1.14.1.4.1.2.62 = "authenticationNotification" | **alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.62** = "authenticationNotification" |
+| snmpTrapOID = "iso...2544.1.14.0.62" | snmpTrapOID = **fsp3000alm.trap.authenticationNotification** |
+
+---
+
+## Event 2 — transientFaCompleted (trap 42)
+
+| Raw | Translated |
+|-----|-------------|
+| sysUpTime = "472 days, 20:08:12.36" | sysUpTime = "472 days, 20:08:12.36" |
+| iso...2544.1.14.2.2.1.4.1 = " Duct 1-miniduct 2 Grijs" | **device.portTable.portEntry.portName.1** = " Duct 1-miniduct 2 Grijs" |
+| int_ev_type = "SNMP" | int_ev_type = "SNMP" |
+| iso...2544.1.14.4.2.1.2.192 = "2026-02-23 10:34:29" | **eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.192** = "2026-02-23 10:34:29" |
+| iso...2544.1.14.4.2.1.4.192 = "MCH-1-1" | **eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.192** = "MCH-1-1" |
+| snmpTrapOID = "iso...2544.1.14.0.42" | snmpTrapOID = **fsp3000alm.trap.transientFaCompleted** |
+| iso...2544.1.14.2.2.1.5.1 = "MCH-1-1" | **device.portTable.portEntry.portAidString.1** = "MCH-1-1" |
+| iso...2544.1.14.1.4.1.2.42 = "transientFaCompleted" | **alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.42** = "transientFaCompleted" |
+
+---
+
+## Event 3 — alarmFaRunning (trap 9) with severity
+
+| Raw | Translated |
+|-----|-------------|
+| sysUpTime = "472 days, 20:08:12.34" | sysUpTime = "472 days, 20:08:12.34" |
+| iso...2544.1.14.2.2.1.4.1 = " Duct 1-miniduct 2 Grijs" | **device.portTable.portEntry.portName.1** = " Duct 1-miniduct 2 Grijs" |
+| int_ev_type = "SNMP" | int_ev_type = "SNMP" |
+| iso...2544.1.14.1.1.1.3.1.9 = "6" | **alarm.alarmTable.alarmEntry.alarmSeverity.1.9** = "6" |
+| iso...2544.1.14.1.4.1.2.9 = "alarmFaRunning" | **alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.9** = "alarmFaRunning" |
+| iso...2544.1.14.1.2.1.3.1.9 = "5" | **alarm.alarmSeverityTable.alarmSeverityEntry.alarmSeverityValue.1.9** = "5" |
+| iso...2544.1.14.4.2.1.2.191 = "2026-02-23 10:34:29" | **eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.191** = "2026-02-23 10:34:29" |
+| snmpTrapOID = "iso...2544.1.14.0.9" | snmpTrapOID = **fsp3000alm.trap.alarmFaRunning** |
+| iso...2544.1.14.2.2.1.5.1 = "MCH-1-1" | **device.portTable.portEntry.portAidString.1** = "MCH-1-1" |
+| iso...2544.1.14.4.2.1.4.191 = "MCH-1-1" | **eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.191** = "MCH-1-1" |
+
+---
+
+## Event 4 — transientFaSaved (trap 44) with measurement varbind
+
+| Raw | Translated |
+|-----|-------------|
+| sysUpTime = "472 days, 20:08:12.38" | sysUpTime = "472 days, 20:08:12.38" |
+| iso...2544.1.14.3.11.1.4.1.1 = "0" | **measurement.measurementAutoFaTable.measurementAutoFaEntry.measurementAutoFaFaultPos.1.1** = "0" |
+| iso...2544.1.14.2.2.1.4.1 = " Duct 1-miniduct 2 Grijs" | **device.portTable.portEntry.portName.1** = " Duct 1-miniduct 2 Grijs" |
+| int_ev_type = "SNMP" | int_ev_type = "SNMP" |
+| iso...2544.1.14.4.2.1.2.193 = "2026-02-23 10:34:29" | **eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.193** = "2026-02-23 10:34:29" |
+| iso...2544.1.14.1.4.1.2.44 = "transientFaSaved" | **alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.44** = "transientFaSaved" |
+| iso...2544.1.14.4.2.1.4.193 = "MCH-1-1" | **eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.193** = "MCH-1-1" |
+| snmpTrapOID = "iso...2544.1.14.0.44" | snmpTrapOID = **fsp3000alm.trap.transientFaSaved** |
+| iso...2544.1.14.2.2.1.5.1 = "MCH-1-1" | **device.portTable.portEntry.portAidString.1** = "MCH-1-1" |
+
+---
+
+## Event 5 — alarmLinkBudgetExceeded (trap 14)
+
+| Raw | Translated |
+|-----|-------------|
+| iso...2544.1.14.1.4.1.2.14 = "alarmLinkBudgetExceeded" | **alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.14** = "alarmLinkBudgetExceeded" |
+| iso...2544.1.14.1.1.1.3.1.14 = "6" | **alarm.alarmTable.alarmEntry.alarmSeverity.1.14** = "6" |
+| sysUpTime = "472 days, 20:07:41.89" | sysUpTime = "472 days, 20:07:41.89" |
+| iso...2544.1.14.4.2.1.2.188 = "2026-02-23 10:33:58" | **eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.188** = "2026-02-23 10:33:58" |
+| iso...2544.1.14.4.2.1.4.188 = "MCH-1-1" | **eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.188** = "MCH-1-1" |
+| iso...2544.1.14.2.2.1.4.1 = " Duct 1-miniduct 2 Grijs" | **device.portTable.portEntry.portName.1** = " Duct 1-miniduct 2 Grijs" |
+| int_ev_type = "SNMP" | int_ev_type = "SNMP" |
+| iso...2544.1.14.1.2.1.3.1.14 = "2" | **alarm.alarmSeverityTable.alarmSeverityEntry.alarmSeverityValue.1.14** = "2" |
+| snmpTrapOID = "iso...2544.1.14.0.14" | snmpTrapOID = **fsp3000alm.trap.alarmLinkBudgetExceeded** |
+| iso...2544.1.14.2.2.1.5.1 = "MCH-1-1" | **device.portTable.portEntry.portAidString.1** = "MCH-1-1" |
+
+---
+
+## Event 6 — transientFaStarted (trap 41)
+
+| Raw | Translated |
+|-----|-------------|
+| sysUpTime = "472 days, 20:07:41.97" | sysUpTime = "472 days, 20:07:41.97" |
+| iso...2544.1.14.2.2.1.4.1 = " Duct 1-miniduct 2 Grijs" | **device.portTable.portEntry.portName.1** = " Duct 1-miniduct 2 Grijs" |
+| int_ev_type = "SNMP" | int_ev_type = "SNMP" |
+| iso...2544.1.14.4.2.1.2.190 = "2026-02-23 10:33:58" | **eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.190** = "2026-02-23 10:33:58" |
+| iso...2544.1.14.1.4.1.2.41 = "transientFaStarted" | **alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.41** = "transientFaStarted" |
+| iso...2544.1.14.4.2.1.4.190 = "MCH-1-1" | **eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.190** = "MCH-1-1" |
+| snmpTrapOID = "iso...2544.1.14.0.41" | snmpTrapOID = **fsp3000alm.trap.transientFaStarted** |
+| iso...2544.1.14.2.2.1.5.1 = "MCH-1-1" | **device.portTable.portEntry.portAidString.1** = "MCH-1-1" |
+
+---
+
+## Event 7 — alarmFaRunning (trap 9), no alarmSeverityValue
+
+| Raw | Translated |
+|-----|-------------|
+| iso...2544.1.14.4.2.1.2.189 = "2026-02-23 10:33:58" | **eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.189** = "2026-02-23 10:33:58" |
+| sysUpTime = "472 days, 20:07:41.93" | sysUpTime = "472 days, 20:07:41.93" |
+| iso...2544.1.14.4.2.1.4.189 = "MCH-1-1" | **eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.189** = "MCH-1-1" |
+| iso...2544.1.14.2.2.1.4.1 = " Duct 1-miniduct 2 Grijs" | **device.portTable.portEntry.portName.1** = " Duct 1-miniduct 2 Grijs" |
+| int_ev_type = "SNMP" | int_ev_type = "SNMP" |
+| iso...2544.1.14.1.1.1.3.1.9 = "5" | **alarm.alarmTable.alarmEntry.alarmSeverity.1.9** = "5" |
+| iso...2544.1.14.1.4.1.2.9 = "alarmFaRunning" | **alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.9** = "alarmFaRunning" |
+| snmpTrapOID = "iso...2544.1.14.0.9" | snmpTrapOID = **fsp3000alm.trap.alarmFaRunning** |
+| iso...2544.1.14.2.2.1.5.1 = "MCH-1-1" | **device.portTable.portEntry.portAidString.1** = "MCH-1-1" |
+
+---
+
+## Event 8 — alarmLinkBudgetExceeded (duplicate reception, same 188)
+
+| Raw | Translated |
+|-----|-------------|
+| iso...2544.1.14.1.4.1.2.14 = "alarmLinkBudgetExceeded" | **alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.14** = "alarmLinkBudgetExceeded" |
+| iso...2544.1.14.1.1.1.3.1.14 = "6" | **alarm.alarmTable.alarmEntry.alarmSeverity.1.14** = "6" |
+| sysUpTime = "472 days, 20:07:41.90" | sysUpTime = "472 days, 20:07:41.90" |
+| iso...2544.1.14.4.2.1.2.188 = "2026-02-23 10:33:58" | **eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.188** = "2026-02-23 10:33:58" |
+| iso...2544.1.14.4.2.1.4.188 = "MCH-1-1" | **eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.188** = "MCH-1-1" |
+| iso...2544.1.14.2.2.1.4.1 = " Duct 1-miniduct 2 Grijs" | **device.portTable.portEntry.portName.1** = " Duct 1-miniduct 2 Grijs" |
+| int_ev_type = "SNMP" | int_ev_type = "SNMP" |
+| iso...2544.1.14.1.2.1.3.1.14 = "2" | **alarm.alarmSeverityTable.alarmSeverityEntry.alarmSeverityValue.1.14** = "2" |
+| snmpTrapOID = "iso...2544.1.14.0.14" | snmpTrapOID = **fsp3000alm.trap.alarmLinkBudgetExceeded** |
+| iso...2544.1.14.2.2.1.5.1 = "MCH-1-1" | **device.portTable.portEntry.portAidString.1** = "MCH-1-1" |
+
+---
+
+## Event 9 — transientFaCompleted (event log index 186)
+
+| Raw | Translated |
+|-----|-------------|
+| iso...2544.1.14.4.2.1.4.186 = "MCH-1-1" | **eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.186** = "MCH-1-1" |
+| sysUpTime = "472 days, 20:02:20.08" | sysUpTime = "472 days, 20:02:20.08" |
+| iso...2544.1.14.4.2.1.2.186 = "2026-02-23 10:28:36" | **eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.186** = "2026-02-23 10:28:36" |
+| iso...2544.1.14.2.2.1.4.1 = " Duct 1-miniduct 2 Grijs" | **device.portTable.portEntry.portName.1** = " Duct 1-miniduct 2 Grijs" |
+| int_ev_type = "SNMP" | int_ev_type = "SNMP" |
+| snmpTrapOID = "iso...2544.1.14.0.42" | snmpTrapOID = **fsp3000alm.trap.transientFaCompleted** |
+| iso...2544.1.14.2.2.1.5.1 = "MCH-1-1" | **device.portTable.portEntry.portAidString.1** = "MCH-1-1" |
+| iso...2544.1.14.1.4.1.2.42 = "transientFaCompleted" | **alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.42** = "transientFaCompleted" |
+
+---
+
+## Event 10 — alarmFaRunning (event log index 183)
+
+| Raw | Translated |
+|-----|-------------|
+| iso...2544.1.14.4.2.1.4.183 = "MCH-1-1" | **eventLogs.eventLogTable.eventLogEntry.eventLogIdentityTranslation.183** = "MCH-1-1" |
+| sysUpTime = "472 days, 20:01:47.03" | sysUpTime = "472 days, 20:01:47.03" |
+| iso...2544.1.14.4.2.1.2.183 = "2026-02-23 10:28:04" | **eventLogs.eventLogTable.eventLogEntry.eventLogTimeStamp.183** = "2026-02-23 10:28:04" |
+| iso...2544.1.14.2.2.1.4.1 = " Duct 1-miniduct 2 Grijs" | **device.portTable.portEntry.portName.1** = " Duct 1-miniduct 2 Grijs" |
+| int_ev_type = "SNMP" | int_ev_type = "SNMP" |
+| iso...2544.1.14.1.1.1.3.1.9 = "5" | **alarm.alarmTable.alarmEntry.alarmSeverity.1.9** = "5" |
+| iso...2544.1.14.1.4.1.2.9 = "alarmFaRunning" | **alarm.alarmDescriptionTable.alarmDescriptionEntry.alarmDescriptionName.9** = "alarmFaRunning" |
+| snmpTrapOID = "iso...2544.1.14.0.9" | snmpTrapOID = **fsp3000alm.trap.alarmFaRunning** |
+| iso...2544.1.14.2.2.1.5.1 = "MCH-1-1" | **device.portTable.portEntry.portAidString.1** = "MCH-1-1" |
+
+---
+
+## Summary
+
+- **Event log** varbinds (**.4.2.1.2.X**, **.4.2.1.4.X**) give **eventLogTimeStamp** and **eventLogIdentityTranslation** (entity name) per log index *X*; use for **message_key** (entity\|trapOID\|index).
+- **Device** varbinds (**.2.2.1.4.1**, **.2.2.1.5.1**) are **portName** and **portAidString** for port 1; use for resource/affected CI.
+- **Alarm** varbinds (**.1.1.1.3.1.X**, **.1.2.1.3.1.X**, **.1.4.1.2.X**) carry alarm state/severity and trap type name; use for severity and event type.
+- **system.advaSecurity** (**.5.8.***) appears in authentication traps (user, IP, protocol, etc.).
+- **snmpTrapOID** (**.0.X**) identifies the trap; in translated form it becomes **fsp3000alm.trap.***trapName***.
+
+Source: `test_events_servicenow.xml`, MIB: `mib files/ADVA-FSP3000ALM-MIB.txt`.