snmptt-users Mailing List for SNMP Trap Translator
Brought to you by:
alex_b
Menu
▾
▴
snmptt-users — SNMPTT User discussion
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
|
Feb
|
Mar
(4) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(5) |
Dec
|
| 2004 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(3) |
Jun
|
Jul
(11) |
Aug
(2) |
Sep
(7) |
Oct
(6) |
Nov
(28) |
Dec
(12) |
| 2005 |
Jan
(22) |
Feb
(3) |
Mar
(13) |
Apr
(29) |
May
(5) |
Jun
(7) |
Jul
(7) |
Aug
(21) |
Sep
(3) |
Oct
(1) |
Nov
(20) |
Dec
(6) |
| 2006 |
Jan
(18) |
Feb
(8) |
Mar
(14) |
Apr
(4) |
May
(5) |
Jun
(6) |
Jul
(2) |
Aug
(17) |
Sep
(3) |
Oct
|
Nov
(10) |
Dec
(10) |
| 2007 |
Jan
(17) |
Feb
(3) |
Mar
(8) |
Apr
(12) |
May
|
Jun
(1) |
Jul
(2) |
Aug
(4) |
Sep
(7) |
Oct
(6) |
Nov
(2) |
Dec
(4) |
| 2008 |
Jan
(4) |
Feb
|
Mar
(16) |
Apr
(5) |
May
(3) |
Jun
|
Jul
(4) |
Aug
|
Sep
|
Oct
(5) |
Nov
(2) |
Dec
|
| 2009 |
Jan
(1) |
Feb
|
Mar
(2) |
Apr
|
May
(3) |
Jun
(16) |
Jul
(5) |
Aug
(2) |
Sep
(3) |
Oct
|
Nov
(1) |
Dec
|
| 2010 |
Jan
|
Feb
(3) |
Mar
(13) |
Apr
(12) |
May
(31) |
Jun
(14) |
Jul
(7) |
Aug
(7) |
Sep
(11) |
Oct
(2) |
Nov
(5) |
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(3) |
Jul
(6) |
Aug
|
Sep
(1) |
Oct
(4) |
Nov
(2) |
Dec
(5) |
| 2012 |
Jan
|
Feb
(1) |
Mar
(2) |
Apr
|
May
(2) |
Jun
|
Jul
(5) |
Aug
(2) |
Sep
(1) |
Oct
(4) |
Nov
|
Dec
(5) |
| 2013 |
Jan
|
Feb
(1) |
Mar
|
Apr
(2) |
May
(3) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(7) |
| 2014 |
Jan
(3) |
Feb
(13) |
Mar
|
Apr
(2) |
May
(7) |
Jun
(3) |
Jul
(9) |
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2015 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2018 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
|
From: Alex B. <al...@us...> - 2021-11-27 18:29:49
|
SNMPTT 1.5beta2 has been released. Please report any issues to this list or file a bug report at https://github.com/snmptt/snmptt/issues. What's New: - Added PREEXEC support for unknown traps. Results are stored in the variable *$pun*. See the *unknown_trap_preexec* setting in *snmptt.ini*. - Added *unknown_trap_nodes_match_mode* setting to allow you to change how traps are handled when they do not match due to *MATCH* and *NODES*. If set to 1, traps are considered skipped instead of unknown. Statistics now include the number of skipped traps when enabled. - Added support for wildcards for the *snmptt_conf_files* setting in *snmptt.ini*. Example: */etc/snmp/snmptt.*.conf* - Added *log_format* *snmptt.ini* setting to allow you to define the STDOUT, text log and eventlog text format. - Added *syslog_format* *snmptt.ini* setting to allow you to define the syslog text format. This will allow you to add a structured data section for RFC5424 syslog. - Added variable substitution *$j* to pull out the enterprise number from the full enterprise OID. For example, for enterprise OID .1.3.6.1.4.1.232, *$j* would contain 232. - Added remote syslog support using the Perl module Log::Syslog::Fast which also allows you to specify the APP-NAME for RFC5424 syslog. Added the following *snmptt.ini* settings: *syslog_module*, *syslog_remote_dest*, *syslog_remote_port*, *syslog_remote_proto*, *syslog_rfc_format*, *syslog_app* and *syslog_system_app*. - Added *--preexec* and *-preexec_file* options to s*nmpttconvertmib*. - Added reload support to the *snmptt.service* systemd file. This will allow you to use the *'systemctl reload snmptt'* command to reload the configuration. - Fixed a bug that prevented snmptt from starting when debug mode was disabled (bug 48). - Fixed debug output bug with snmptthandler-embedded (PR 1). - Fixed a bug with IPv6 address handling for NODES in snmptt.conf. - Fixed a bug that prevented the hostname from being extraced when IPv6 is disabled and the hostname is passed from Net-SNMP as UDP: [x.x.x.x]:xxxx->[x.x.x.x]:xxxx. - Updated documentation on securing SNMPTT to ensure the snmptt user has read access to the configuration files. This is required when issuing a reload. - *snmptthandler-embedded*: - Varbind types *Gauge32* and *Hex-STRING* now have the Gauge32: and Hex-STRING: text removed for incoming traps. Unicode line endings are also removed (Perl 5.10 and higher). Download: https://sourceforge.net/projects/snmptt/files/snmptt/snmptt_1.5beta2/ |
|
From: Bernard F. <ber...@gm...> - 2021-11-15 18:05:20
|
Hello, We have 6 servers where snmptt is running. On two of them, the log snmptt.log is not created but all other logs are created. The file snmptt.ini is identical on the 6 servers. Any idea why two installations of snmptt wouldn't create the snmptt.log file ? Thanks, Bernard |
|
From: Alex B. <al...@us...> - 2021-04-19 23:14:49
|
Hi Greg. Your match statement is looking for SIPPS in $1 which is alarmShortTrapElementInstance. Is this the correct variable to be searching? If you don't know the variable, you could try this instead: MATCH $*: (SIPPS) Alex On Mon, 19 Apr 2021 at 17:57, Greg Teiber <gt...@fi...> wrote: > Hello everyone, > > I am attempting to stop most alarms coming in from a device of mine, and.. > it's rather chatty. I know what I am looking for. Specifically, in the > trapp, I want it to pass on the alarm that says "SIPPS" but I can't seem to > figure out how to make the MATCH variable work. > > I currently have the following: > > # > EVENT alarmShortTrap .1.3.6.1.4.1.19444.6.2.1.2 "Status Events" Critical > FORMAT This is a short alarm trap table for MetaSwitch. $* > SDESC > This is a short alarm trap table for MetaSwitch. > This behaves similarly to the alarmTrap MIB, but > contains fewer fields. This should be used when > your network or alarm monitoring application requires > alarm notifcations that are not fragmented. Sending > this trap type is configured through the MetaView > Explorer on the SNMP Alarm Destination object. > Variables: > 1: alarmShortTrapElementInstance > 2: alarmShortTrapElementType > 3: alarmShortTrapDisplayName > 4: alarmShortTrapGroup > 5: alarmShortTrapAlarmedObjectPrimaryOID > 6: alarmShortTrapSeverity > 7: alarmShortTrapAlarmType > 8: alarmShortTrapDescription > 9: alarmShortTrapAssociatedProblemDescription > 10: alarmShortTrapLogCorrelator > 11: alarmShortTrapLogID > 12: alarmShortTrapEMSName > 13: alarmShortTrapEquipmentType > 14: alarmShortTrapEquipmentName > 15: alarmShortTrapEquipmentSoftwareVersion > 16: alarmShortTrapAlarmTimestamp > 17: alarmShortTrapAlarmCount > 18: alarmShortTrapCountResetTimestamp > 19: alarmShortTrapAlarmIndex > EDESC > MATCH $1: (SIPPS) > > Am I getting this wrong? I am definitely doing something, because without > the MATCH I get LOTS of alarms. Adding match.. and nothing. Even for text > strings that I know are in the trap. > > Thank you, > > Greg T > > _______________________________________________ > Snmptt-users mailing list > Snm...@li... > https://lists.sourceforge.net/lists/listinfo/snmptt-users > |
|
From: Greg T. <gt...@fi...> - 2021-04-19 21:57:48
|
Hello everyone, I am attempting to stop most alarms coming in from a device of mine, and.. it's rather chatty. I know what I am looking for. Specifically, in the trapp, I want it to pass on the alarm that says "SIPPS" but I can't seem to figure out how to make the MATCH variable work. I currently have the following: # EVENT alarmShortTrap .1.3.6.1.4.1.19444.6.2.1.2 "Status Events" Critical FORMAT This is a short alarm trap table for MetaSwitch. $* SDESC This is a short alarm trap table for MetaSwitch. This behaves similarly to the alarmTrap MIB, but contains fewer fields. This should be used when your network or alarm monitoring application requires alarm notifcations that are not fragmented. Sending this trap type is configured through the MetaView Explorer on the SNMP Alarm Destination object. Variables: 1: alarmShortTrapElementInstance 2: alarmShortTrapElementType 3: alarmShortTrapDisplayName 4: alarmShortTrapGroup 5: alarmShortTrapAlarmedObjectPrimaryOID 6: alarmShortTrapSeverity 7: alarmShortTrapAlarmType 8: alarmShortTrapDescription 9: alarmShortTrapAssociatedProblemDescription 10: alarmShortTrapLogCorrelator 11: alarmShortTrapLogID 12: alarmShortTrapEMSName 13: alarmShortTrapEquipmentType 14: alarmShortTrapEquipmentName 15: alarmShortTrapEquipmentSoftwareVersion 16: alarmShortTrapAlarmTimestamp 17: alarmShortTrapAlarmCount 18: alarmShortTrapCountResetTimestamp 19: alarmShortTrapAlarmIndex EDESC MATCH $1: (SIPPS) Am I getting this wrong? I am definitely doing something, because without the MATCH I get LOTS of alarms. Adding match.. and nothing. Even for text strings that I know are in the trap. Thank you, Greg T |
|
From: Alex B. <al...@us...> - 2021-03-26 01:32:44
|
SNMPTT 1.5beta1 has been released. Please report any issues to this list or file a bug report at https://sourceforge.net/p/snmptt/bugs/. What's New: - Added support for IPv6. To enable, set *ipv6_enable = 1* in snmptt.ini. - Added support for sub-second sleep for spool folder processing. - *snmptt.ini* can now be located in */etc/snmptt* and is searched for at this location first. - Fixed a bug with *daemon_uid* that prevented SNMPTT from starting on FreeBSD (bug 47). - Fixed a bug where traps arriving with the hostname set to UNKNOWN were not being handled properly (bug 46). - Fixed a bug with *MATCH* which was preventing it from matching integers properly (bug 41). - Fixed a bug where the agent IP address was not handled correctly when it was received from Net-SNMP as *IpAddress:x.x.x.x* (bug 27). - Fixed a race condition bug with *snmptthander* and *snmptthandler-embedded* which could cause traps to be missed. Spool files are now immediately locked after creation using flock(). If flock() is not supported, the spool file will be created with a temporary filename and then renamed after closing. - Fixed a bug with *wildcard_expansion_separator* which caused an issue when using wildcard separators that were longer than one character (bug 38). - Fixed a bug where quotes were not properly removed from some incoming traps. - Fixed bug with debug mode that was causing some debug mode output even when debug mode was off. - Fixed a bug where DNS resolution was not working for enterprise variables when *net_snmp_perl_enable* was disabled. - Changed *net_snmp_perl_best_guess* default from 0 to 2 as any modern system should support this. See FAQ and snmptt.ini for details on this variable. - Enabled Perl warnings to help ensure code is following best practices. - Ran code against Perl::Critic to find non-optimal code. Made various adjustments such as relacing bare words with variables and changing open() calls from two arguments to three. - Documentation was converted from html to markdown to make it easier to maintain and a full review was completed. Many improvments have been made including a new section on integrating with Icinga. The docs folder now contains *.md*, *.html* and *.epub* versions of the documentation. - *snmpttconvertmib*: - Added *--exec_file* option to allow you to provide an EXEC command inside of a file instead of specifying on the command line. Useful for commands that include quotes so that you don't have to worry about escaping on the command line. Also allows you to define multiple EXEC lines instead of just one. - Added *--exec_mode* option to allow you change how the EXEC line is built. Setting to *0* will append the format line to the end of the line (default). Setting to *1* does not append the format line to the end of the line. This is useful if you have added *$Fz* to the *--exec* line so that SNMPTT can replace it with the FORMAT line. Setting to *2* is similar to *1*, but instead of SNMPTT having to replace *$Fz* with the FORMAT line, *snmpttconvertmib* will do the substitution. Download: https://sourceforge.net/projects/snmptt/files/snmptt/snmptt_1.5beta1/ |
|
From: Jim M. <jm...@in...> - 2020-02-26 17:00:11
|
hi, i'm trying to track down the MIB to add HP Proliant servers to our snmptt config. seems that HP has zero interest in making that easy. any help here? --jim -- Jim Mercer Director - Systems Engineering +14164105633 jm...@in... |
|
From: Facundo A. <fac...@ma...> - 2018-02-13 17:32:46
|
Hi, snmpttconvertmib takes NOTIFICATION-TYPE and TRAP-TYPE definitions from
DESCRIPTION field, that really are no definitions. For instance, from the
file OSPF-TRAP-MIB:
ospfTrapEventGroup NOTIFICATION-GROUP
NOTIFICATIONS {
ospfVirtIfStateChange,
ospfNbrStateChange,
ospfVirtNbrStateChange,
ospfIfConfigError,
ospfVirtIfConfigError,
ospfIfAuthFailure,
ospfVirtIfAuthFailure,
ospfIfRxBadPacket,
ospfVirtIfRxBadPacket,
ospfTxRetransmit,
ospfVirtIfTxRetransmit,
ospfOriginateLsa,
ospfMaxAgeLsa,
ospfLsdbOverflow,
ospfLsdbApproachingOverflow,
ospfIfStateChange,
ospfNssaTranslatorStatusChange,
ospfRestartStatusChange,
ospfNbrRestartHelperStatusChange,
ospfVirtNbrRestartHelperStatusChange
}
STATUS current
DESCRIPTION
"A grouping of OSPF trap events, as specified
in *NOTIFICATION-TYPE* constructs."
::= { ospfTrapGroups 2 }
END
snmpttconvertmib output:
#
Line: 580
*NOTIFICATION-TYPE: in*
Looking up via snmptranslate: OSPF-TRAP-MIB::in
Unknown object identifier: OSPF-TRAP-MIB::in
OID:
Other example, from file VDSL2-LINE-MIB:
------------------------------------------------
-- xdsl2LineAlarmConfProfileTable --
------------------------------------------------
xdsl2LineAlarmConfProfileTable OBJECT-TYPE
SYNTAX SEQUENCE OF Xdsl2LineAlarmConfProfileEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table xdsl2LineAlarmConfProfileTable contains DSL
line performance threshold values.
If a performance counter exceeds the threshold value specified
in this table, then the SNMP agent will issue a threshold trap.
Each performance counter has a unique trap type
(see *NOTIFICATION-TYPE* definitions below).
One trap will be sent per interval, per interface, per trap type.
A value of 0 will disable the trap.
Entries in this table MUST be maintained in a persistent
manner."
::= { xdsl2ProfileAlarmConf 2 }
snmpttconvertmib output:
#
Line: 4440
*NOTIFICATION-TYPE: see*
Enterprise: xdsl2LineAlarmConfProfileTable
Looking up via snmptranslate: VDSL2-LINE-MIB::see
Unknown object identifier: VDSL2-LINE-MIB::see
OID:
I just can get snmpttconvertmib to skip definitions in DESCRIPTION fields.
Any help is appreciated, thanks!
*Facundo Aguirre*
*Gerencia de redes y sistemas*
*Tel/Fax: +54 376 442-1600 int. 117*
*Cel. 1: +54 9 376 457-9724*
*Cel. 2: +54 9 376 429-9002*
*Rivadavia 1435, Posadas, Misiones*
*www*.*marandu.com.ar* <http://www.marandu.com.ar>
|
|
From: Browne, R. <Ric...@op...> - 2018-01-17 09:39:00
|
I am trying to get regex replacements to work with nagios I have allow unsafe regex turned on in snmptt.ini This is the trap in snmp.conf - # EVENT cbgpFsmStateChange .1.3.6.1.4.1.9.9.187.0.1 "Status Events" CRITICAL FORMAT The BGP cbgpFsmStateChange notification is generated $* EXEC /usr/local/bin/snmptraphandling.py "$r" "Traps - BGP" "$s" "$@" "$-*" "BGP state change from test $4 to $2 Error: $1 $3 " REGEX (established) (<strong style='color:green'>established</strong>) REGEX (active) (<strong style='color:orange'>active</strong>) REGEX (idle) (<strong style='color:red'>idle</strong>) SDESC The BGP cbgpFsmStateChange notification is generated for every BGP FSM state change. The bgpPeerRemoteAddr value is attached to the notification object ID. Variables: 1: bgpPeerLastError 2: bgpPeerState 3: cbgpPeerLastErrorTxt 4: cbgpPeerPrevState EDESC # The idea is that it would colourize the words using html, but the regex is not changing the message at all, I've tried just putting test- REGEX (established) (test) REGEX (active) (test) REGEX (idle) (test) Just in case it didn't like the special chars but this also didn't work. I even tried changing a word that always appears in the message but that didn't work either- REGEX (BGP) (testBGPtest) Any ideas? Thanks, Rick CONFIDENTIAL: The information transmitted is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Whilst we take reasonable precautions to minimise risk, you must carry out your own virus checks before opening attachments or reading e-mails and we do not accept liability for any damage or loss in this respect. This e-mail and its attachments may be subject to copyright protection and you should not retransmit or reproduce these without the consent of the author. Non-business related content is not authorised by us and we shall not be liable for it. We are also not responsible for changes made or occurring after this message was sent. Options Technology Ltd. 4th Floor, Portland House, Bressenden Place, London, SW1E 5BH Tel: +44 20 7070 5000 Fax: +44 20 7070 5001 Options Information Technology LLC 850 3rd Avenue, 9th Floor, New York, NY 10022. Tel: 646 205 2500 Fax: 646 205 2501 Options Technology (Asia) Ltd. 17/F Wheelock House, 20 Pedder Street, Central, Hong Kong Tel: +852 3166 5000 Fax: +852 3166 5001 http://www.options-it.com |
|
From: Butter, d. H.R. (S&I\\ ATMS\\ IS) <h.b...@lv...> - 2017-12-14 16:34:21
|
Hi, Is there a method to convert incoming SNMP V2c traps to V1 traps ? Met vriendelijke groet, with kind regards, Harry Butter Product Engineer Dep. ATMS/IS Air Traffic Control the Netherlands |
|
From: Nobuo M. <No...@la...> - 2015-07-02 20:44:11
|
Hi, I am using snmptt v1.4. When I receive a trap from a device, snmptt $# shows 3. But when I capture packets using tcpdump, it shows 14 items. Does anybody have similar experience? Thanks Nobuo |
|
From: Matthias N. <mat...@gm...> - 2015-02-27 10:10:54
|
Hello,
this question is not directly related to snmptt, but I hope to find someone
who could help me with a MIB file. There must be an error in it that I am
unable to spot.
The four OIDS
.1.3.6.1.4.1.7465.20.2.6.0.0
.1.3.6.1.4.1.7465.20.2.6.0.1
.1.3.6.1.4.1.7465.20.2.6.0.2
.1.3.6.1.4.1.7465.20.2.6.0.3
are supposed to be traps.
If I call
snmptranslate -Td .1.3.6.1.4.1.7465.20.2.6.0
(i.e. the prefix without the last digit) I get
WISI-HEADEND-ROOT-MIB::headendMib
headendMib MODULE-IDENTITY
-- FROM WISI-HEADEND-ROOT-MIB
DESCRIPTION "The MIB module is for representing analog and digital
equipment
present in the headend and is supported by a SNMP agent.
This module defines the root OID for the headend device MIBs.
This module also defines textual conventions that are common
across headend devices."
::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) wisi(7465)
equipment(20) devices(2) headend(6) 0 }
So, this works. If call snmptranslate for the first trap
snmptranslate -Td .1.3.6.1.4.1.7465.20.2.6.0.0
I get
WISI-TRAP-MIB::headendMib#
headendMib# TRAP-TYPE
-- FROM WISI-TRAP-MIB
::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) wisi(7465)
equipment(20) devices(2) headend(6) headendMib(0) 0 }
Some things, are already stange. The reported name
(WISI-TRAP-MIB::headendMib#) is not correct. It should be
"WISI-TRAP-MIB::wisiColdStart" not "WISI-TRAP-MIB::headendMib#". Moreover
the description is missing.
If I call snmptranslate for the last three treps, e.g.
snmptranslate -Td .1.3.6.1.4.1.7465.20.2.6.0.1
I get
WISI-HEADEND-ROOT-MIB::headendMib.1
Hence, the seem to be totally unknown. I just get the prefix appended by
the last digit.
Here ist the MIB file, perhaps someone can spot the error:
WISI-TRAP-MIB DEFINITIONS ::= BEGIN
IMPORTS
commonPhysAddress, commonLogicalID
FROM SCTE-HMS-COMMON-MIB
alarmLogInformation
FROM SCTE-HMS-ALARMS-MIB
dlDownloadErrorStatus, dlDownloadImage, dlDownloadDevice
FROM SCTE-HMS-DOWNLOAD-MIB
headendMib
FROM WISI-HEADEND-ROOT-MIB;
wisiColdStart TRAP-TYPE
ENTERPRISE headendMib
VARIABLES { commonPhysAddress, commonLogicalID }
DESCRIPTION
"A wisiColdStart trap signifies that the sending protocol
entity is reinitializing itself such that the agent's
configuration or the protocol entity implementation may
be altered.
This trap is only issued by the transponder once the
registration has been completed successfully."
::= 0
wisiAlarmEvent TRAP-TYPE
ENTERPRISE headendMib
VARIABLES { commonPhysAddress, commonLogicalID, alarmLogInformation }
DESCRIPTION
"The SNMP trap that is generated when an alarm event is found. At the
option of the transponder, the alarmText variable may be reported as
a
fourth varbind, for those instances where an additional text field is
indicated by the object, as noted in the alarmText object
description.
Also, at the option of the transponder, additional specific varbinds
MAY
be added to clearly define the event that caused the trap to be
sent.
In the case where the event is defined in the propertyTable, the
additional varbinds (when present) MUST BE the parameterOID object &
value and the currentAlarmState object & value (see HMS026) from the
table entry for which the trap was generated.
In the case where the event is defined in the discretePropertyTable,
the
additional varbinds (when present) MUST BE the discreteParameterOID
object & value and the discreteAlarmState object & value from the
table
entry for which the trap was generated.
The non-optional parameters of the trap (commonPhysAddress,
commonLogicalID, alarmLogInformation) MUST still be filled in
properly,
regardless of whether additional parameters are appended.
It is highly recommended that transponders not requiring specific HMS
software at the headend include these varbinds in order to assist
networks that do not implement HMS-specific SNMP management software.
Additionally, though indicated as an option for the transponder, it
is
recommended that transponders using HMS specified RF transmission
(specifically, SCTE 25-1 aka HMS005) SHOULD NOT append these
additional
parameters, due to the limited bandwidth available in the return
path."
::= 1
wisiWarmStart TRAP-TYPE
ENTERPRISE headendMib
VARIABLES { commonPhysAddress, commonLogicalID }
DESCRIPTION
"A wisiWarmStart trap signifies that the sending protocol
entity is reinitializing itself such that neither the agent's
configuration nor the protocol entity implementation is
altered.
This trap is only issued by the transponder once the
registration has been completed successfully."
::= 2
wisiDownloadStatus TRAP-TYPE
ENTERPRISE headendMib
VARIABLES { commonPhysAddress, commonLogicalID, dlDownloadErrorStatus,
dlDownloadImage, dlDownloadDevice }
DESCRIPTION
"A wisiDownloadStatus trap is generated when dlDownloadErrorStatus
is set in response to an error."
::= 3
END
--
Matthias Nagel
Parkstraße 27, 76131 Karlsruhe, Deutschland
Festnetz: +49-721-96869289, Mobil: +49-151-15998774
e-Mail: mat...@gm..., Skype: nagmat84
|
|
From: andrewarnier <and...@gm...> - 2014-11-25 05:50:29
|
Hi Rock and all,
Thanks for your reply!
But when I tried your action in my sec pair rule , I can get %time1 but
can't get %time2 ,
I got the error as follows:
E Evaluating code 'my $str = "Tue Nov 25 2014 13:48:01 ";my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');my ($day,$mon,$date,$year,$time) = split(' ',lc($str));my
%month_hash;@month_hash{@months} = (1 .. 12);return
"$year-$month_hash{$mon}-$date $time";' and setting variable '%time1'
Variable '%time1' set to '2014-11-25 13:48:01'
Evaluating code 'my $str = "Tue Nov 25 2014 13:48:04 ";my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');my ($day,$mon,$date,$year,$time) = split(' ',lc($str));my
;@month_hash{@months} = (1 .. 12);return "$year-$month_hash{$mon}-$date
$time";' and setting variable '%time2'
Error evaluating code 'my $str = "Tue Nov 25 2014 13:48:04 ";my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');my ($day,$mon,$date,$year,$time) = split(' ',lc($str));my
;@month_hash{@months} = (1 .. 12);return "$year-$month_hash{$mon}-$date
$time";': syntax error at (eval 12) line 1, at EOF
My sec pair rule:
type=Pair
ptype=RegExp
pattern=(\S+) (\S+) (\S+) (\S+) (\S+) (\S+) CI-6500 Carrier Loss On The LAN
in (\S+) \(majorServiceAffecting\),ifIndex=(.+)
desc=TN-15600 Carrier Loss On The LAN in %7(%8)
action=eval %time1 ( my $str = "$1 $2 $3 $4 $5 ";\
my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %%month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time";)
ptype2=RegExp
pattern2=(\S+) (\S+) (\S+) (\S+) (\S+) (\S+) CA-6500 Transport Layer Failure
in (\S+) \(majorServiceAffecting\),ifIndex=(.+)
desc2= HC-15600 Transport Layer Failure in $7($8)
action2=eval %time2 ( my $str = "$1 $2 $3 $4 $5 ";\
my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %%month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time";)\
; write SEC_fifo %time1,%time2, CI-6500,
CA-6500,%7,$7,%8,$8,carrierLossOnTheLAN,Critical,%6,transportLayerFailure,Ma
jor
window=10
Anyone knows what's wrong with my rule ? how to fix ?
Thanks ,
Andrew
From: MILLS, ROCKY [mailto:rx...@at...]
Sent: Saturday, November 22, 2014 4:26 AM
To: sim...@li...
Subject: Re: [Simple-evcorr-users] how to get pattern variable $1 to action
?
Hi Andrew,
You can use 'eval' action to reformat the $1 timestamp. Same perl code
(except you need %% for month_hash):
eval %time ( my $str = "$1";\
my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %%month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time";\
)
Regards,
Rock
From: andrewarnier [mailto:and...@gm...]
Sent: Friday, November 21, 2014 1:26 AM
To: sim...@li...
Subject: [Simple-evcorr-users] how to get pattern variable $1 to action ?
Hi all,
I want to get the trap time ,but the trap time format is "Fri Nov 21 2014
15:04:32" ,how to change the format to "2014-11-21 15:04:32" in my single
rule ?
I try to convert the datetime format in my sec fule, but my rule action
can't get the variable $1,
Anyone knows what's wrong with my rule ? how to fix ?
type=Single
ptype=Regexp
pattern=(\S+) .1.3.6.1.4.1.3607.2.20.0.430 192.168.11.15 Loss Of Signal in
(\S+) \(criticalServiceAffecting\),ifIndex=(.+)
desc= CA -15600 Loss of signal events for interface $2($3)
action=lcall %time -> ( sub { my $str = '$1';\
my @months
=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time"; } );shellcmd
/home/andrew/code/sendmail.sh "Loss Of Signal" "CA-15600 Loss of signal
events for interface $2($3)" "%time"
cheers,
Andrew
|
|
From: andrewarnier <and...@gm...> - 2014-11-25 05:43:44
|
Hi Rock and all,
Thanks for your reply!
But when I tried your action in my sec pair rule , I can get %time1 but
can't get %time2 ,
I got the error as follows:
Evaluating code 'my $str = "Tue Nov 25 2014 13:34:05 ";my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');my ($day,$mon,$date,$year,$time) = split(' ',lc($str));my
%month_hash;@month_hash{@months} = (1 .. 12);return
"$year-$month_hash{$mon}-$date $time";' and setting variable '%time1'
Variable '%time1' set to '2014-11-25 13:34:05'
Evaluating code 'my $str2 = "Tue Nov 25 2014 13:34:07 ";my
@months2=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov',
'dec');my ($day2,$mon2,$date2,$year2,$time2) = split(' ',lc($str2));my
;@month_hash2{@months2} = (1 .. 12);return
"$year2-$month_hash2{$mon2}-$date2 $time2";' and setting variable '%time2'
Error evaluating code 'my $str2 = "Tue Nov 25 2014 13:34:07 ";my
@months2=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov',
'dec');my ($day2,$mon2,$date2,$year2,$time2) = split(' ',lc($str2));my
;@month_hash2{@months2} = (1 .. 12);return
"$year2-$month_hash2{$mon2}-$date2 $time2";': syntax error at (eval 12) line
1, at EOF
My sec pair rule:
type=Pair
ptype=RegExp
pattern=(\S+) (\S+) (\S+) (\S+) (\S+) (\S+) CI-6500 Carrier Loss On The LAN
in (\S+) \(majorServiceAffecting\),ifIndex=(.+)
desc=TN-15600 Carrier Loss On The LAN in %7(%8)
action=eval %time1 ( my $str = "$1 $2 $3 $4 $5 ";\
my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %%month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time";)
ptype2=RegExp
pattern2=(\S+) (\S+) (\S+) (\S+) (\S+) (\S+) CA-6500 Transport Layer Failure
in (\S+) \(majorServiceAffecting\),ifIndex=(.+)
desc2= HC-15600 Transport Layer Failure in $7($8)
action2=eval %time2 ( my $str = "$1 $2 $3 $4 $5 ";\
my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %%month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time";)\
; write SEC_fifo %time1,%time2, CI-6500,
CA-6500,%7,$7,%8,$8,carrierLossOnTheLAN,Critical,%6,transportLayerFailure,Ma
jor
window=10
Anyone knows what's wrong with my rule ? how to fix ?
Thanks ,
Andrew
From: MILLS, ROCKY [mailto:rx...@at...]
Sent: Saturday, November 22, 2014 4:26 AM
To: sim...@li...
Subject: Re: [Simple-evcorr-users] how to get pattern variable $1 to action
?
Hi Andrew,
You can use 'eval' action to reformat the $1 timestamp. Same perl code
(except you need %% for month_hash):
eval %time ( my $str = "$1";\
my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %%month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time";\
)
Regards,
Rock
From: andrewarnier [mailto:and...@gm...]
Sent: Friday, November 21, 2014 1:26 AM
To: sim...@li...
Subject: [Simple-evcorr-users] how to get pattern variable $1 to action ?
Hi all,
I want to get the trap time ,but the trap time format is "Fri Nov 21 2014
15:04:32" ,how to change the format to "2014-11-21 15:04:32" in my single
rule ?
I try to convert the datetime format in my sec fule, but my rule action
can't get the variable $1,
Anyone knows what's wrong with my rule ? how to fix ?
type=Single
ptype=Regexp
pattern=(\S+) .1.3.6.1.4.1.3607.2.20.0.430 192.168.11.15 Loss Of Signal in
(\S+) \(criticalServiceAffecting\),ifIndex=(.+)
desc= CA -15600 Loss of signal events for interface $2($3)
action=lcall %time -> ( sub { my $str = '$1';\
my @months
=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time"; } );shellcmd
/home/andrew/code/sendmail.sh "Loss Of Signal" "CA-15600 Loss of signal
events for interface $2($3)" "%time"
cheers,
Andrew
|
|
From: Pat <pa...@pa...> - 2014-07-22 17:09:53
|
Hi there, There are a few devices which trap out with only 2 trap OIDs. The OID we care about is in varbind #2. Is there a way to translate varbind #2 in the trap? Some details of the trap itself and the varbinds are here: http://serverfault.com/questions/611738/why-isnt-snmptt-translating-this-tra p This will help alert Nagios to the proper trap. Thanks |
|
From: Bruce S. <b.e...@co...> - 2014-07-09 07:57:52
|
Hi Alex
Experiments complete. You are totally correct - use of the "-On" switch
for snmptrapd avoids this problem. I've even found that nicely
documented (Step 10 of the "Embedded handler" installation
instructions). I guess the right thing to do at this point is to
withdraw this proposed patch :-(
Regards
Bruce
On 08/07/14 11:29, Bruce Smith wrote:
> Hi Alex
>
> Good point. I just checked and my snmptrapd is using the out-of-box
> CentOS 6.5 default options (-Lsd). I'll do a careful experiment (with
> SNMPTT stopped so I can capture the staging file) of both "-Lsd" and
> "-On" and get back to you.
>
> Regards
> Bruce
>
> On 07/07/14 02:24, Alex Burger wrote:
>> Hi Brad.
>>
>> Do you have this issue when running snmptrapd with the -On switch?
>>
>> Alex
>>
>>
>> On Friday, July 4, 2014, Bruce Smith <b.e...@co...
>> <mailto:b.e...@co...>> wrote:
>>
>> Hi
>>
>> I've found that sometimes the varbinds for the sysUpTimeInstance and
>> snmpTrapOID are delivered from snmptrapd to snmptt in symbolic format
>> instead of numeric OID format. A patch for version 1.4 follows:
>>
>> --- snmptthandler-embedded 2013-11-07 14:38:52.000000000
>> +1300
>> +++ /opt/software/snmptt_1.4/snmptthandler-embedded 2014-04-08
>> 19:56:12.753044407 +1200
>> @@ -121,13 +121,13 @@
>> $value =~ s/^IpAddress: //g;
>> $value =~ s/^Timeticks: //g;
>>
>> - if ($oid eq ".1.3.6.1.2.1.1.3.0") {
>> + if (($oid eq ".1.3.6.1.2.1.1.3.0") || ($oid eq
>> "DISMAN-EVENT-MIB::sysUpTimeInstance")) {
>> # my $temp = $value;
>> # $temp =~ /Timeticks: \(.*?\) (.*)/;
>> # $uptime = $oid . " " . $1;
>> $uptime = $oid . " " . $value;
>> }
>> - elsif ($oid eq ".1.3.6.1.6.3.1.1.4.1.0") {
>> + elsif (($oid eq ".1.3.6.1.6.3.1.1.4.1.0") || ($oid eq
>> "SNMPv2-MIB::snmpTrapOID.0")) {
>> # my $temp = $value;
>> # $temp =~ /OID: (.*)/;
>> # $trapname = $oid . " " . $1;
>>
>>
>> Regards
>> Bruce
>> ------------------------------------------------------------------------------
>> Open source business process management suite built on Java and
>> Eclipse
>> Turn processes into business applications with Bonita BPM
>> Community Edition
>> Quickly connect people, data, and systems into organized workflows
>> Winner of BOSSIE, CODIE, OW2 and Gartner awards
>> http://p.sf.net/sfu/Bonitasoft
>> _______________________________________________
>> Snmptt-users mailing list
>> Snm...@li... <javascript:;>
>> https://lists.sourceforge.net/lists/listinfo/snmptt-users
>>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snmptt-users mailing list
> Snm...@li...
> https://lists.sourceforge.net/lists/listinfo/snmptt-users
>
>
|
|
From: Darmody, A. (ADARMODY) <ADA...@ar...> - 2014-07-08 14:32:25
|
Hey Jim, Yep, I've tried to narrow down the problem to the snmptthandler. I turned off the SNMPTT daemon, let the spool directory fill up over 24 hours, then copied all those files to a different directory to see if any of them would show up as 'unknown' when I restarted SNMPTT but no, all of them were imported and parsed correctly by SNMPTT! (on average there would have been ~10 unknown traps in 24 hours). It looks like http://sourceforge.net/p/snmptt/mailman/message/25167002 is having the same problem as well. Maybe I'll try the RAM disk next... thanks for your help! Andrew -----Original Message----- Sent: Monday, July 07, 2014 11:05 AM To: Darmody, Andrew (ADARMODY) Cc: snm...@li... Subject: Re: [Snmptt-users] Intermittent Unknown Traps (Possible Race Condition?) Andrew, yes I see the same thing here occasionally - on average about once every two weeks here (but I guess we're handling a lot fewer traps than you are). If your Linux system is at all similar to mine, you should find that snmptrapd writes log output to either /var/log/syslog or /var/log/debug . It might be worth checking those to confirm that snmptrapd has picked up the trap correctly before passing it on to the spool directory for processing by snmptt. If I recall correctly, this happens more so when the system is particularly busy. I put a lot of work in to optimising the Nagios install on our server to bring down CPU load a while ago, which alleviated but didn't entirely eliminate the issue. I would maybe recommend moving the spool directory to a RAM disk to improve performance, but having tried that for Nagios and finding that file locking broke (ymmv), I'm not so sure it would help! Personally I'm just living with the issue for the time being on the principle that SNMP over UDP is never going to be 100% reliable anyway... Cheers, Jim On 7 July 2014 15:19, Darmody, Andrew (ADARMODY) <ADA...@ar...> wrote: > Hello All, > I've been using SNMPTT in daemon mode for the past few months to monitor the SNMP traffic in our network (~100,000 traps a day). I have set up logging to snmptt.log (no database or syslog setup). So far I am very impressed with the speed and ease of use of SNMPTT but there is one problem that I am starting to notice. Right now I have a generic wildcard catch-all OID configured in the trap conf files (EVENT UNKNOWN_TRAP .* "UNKNOWN" UNKNOWN) so that in case we are sent a trap with an OID that isn't configured it will at least be logged into snmptt.log so that our post-processing application can pick it up. In addition, I also have unknown_trap_log_enable = 1 in snmptt.ini for a fallback thinking that nothing should show up in that log file because it should be picked up by the wildcard catch-all OID .* in the conf files. However, over the past few months a handful of traps have been getting logged into the snmpttunknown.log file. Looking into this file 90% of the entries look like this: > > Thu Jan 1 00:00:00 1970: Unknown trap () received from at: > Value 0: > Value 1: > Value 2: > Value 3: > Value 4: > Value 5: > Value 6: > Value 7: > Value 8: > Value 9: > Value 10: > > But a few are look like this (with the 'uptime' field inserted into where the OID should be): > > Thu Jan 1 00:00:00 1970: Unknown trap (0:10:36:50.00) received from 1404339384 at: > Value 0: 1404339384 > Value 1: > Value 2: [172.16.1.132]:60734->[172.16.1.133] > Value 3: 0:10:36:50.00 > Value 4: 172.16.1.132 > Value 5: public > Value 6: .1.3.74.1.10 > Value 7: > Value 8: > Value 9: > Value 10: > Ent Value 0: .1.3.6.1.6.3.1.1.4.1.0=.1.3.74.1.10.0.50003 > Ent Value 1: .1.3.74.1.10.1.3=UL > Ent Value 2: .1.3.74.1.10.1.4=0 > Ent Value 3: .1.3.74.1.10.1.5=0 > > I am also running wireshark on this box and all the traps that SNMPTT treats as 'unknown' are getting received and parsed correctly by wireshark. I am starting to suspect that this could possibly be a race condition between snmptthandler trying to write the trap to the spool directory and SNMPTT coming around in daemon mode to read the spool file before the snmptthandler is completely done writing to the spool directory (and therefore getting an empty or mangled spool file). I'm just trying to gauge everyone's thoughts about this and see if anyone else has encountered the same problem. > > Thank you all! > Andrew |
|
From: Bruce S. <b.e...@co...> - 2014-07-08 01:30:16
|
Hi Alex
Good point. I just checked and my snmptrapd is using the out-of-box
CentOS 6.5 default options (-Lsd). I'll do a careful experiment (with
SNMPTT stopped so I can capture the staging file) of both "-Lsd" and
"-On" and get back to you.
Regards
Bruce
On 07/07/14 02:24, Alex Burger wrote:
> Hi Brad.
>
> Do you have this issue when running snmptrapd with the -On switch?
>
> Alex
>
>
> On Friday, July 4, 2014, Bruce Smith <b.e...@co...
> <mailto:b.e...@co...>> wrote:
>
> Hi
>
> I've found that sometimes the varbinds for the sysUpTimeInstance and
> snmpTrapOID are delivered from snmptrapd to snmptt in symbolic format
> instead of numeric OID format. A patch for version 1.4 follows:
>
> --- snmptthandler-embedded 2013-11-07 14:38:52.000000000
> +1300
> +++ /opt/software/snmptt_1.4/snmptthandler-embedded 2014-04-08
> 19:56:12.753044407 +1200
> @@ -121,13 +121,13 @@
> $value =~ s/^IpAddress: //g;
> $value =~ s/^Timeticks: //g;
>
> - if ($oid eq ".1.3.6.1.2.1.1.3.0") {
> + if (($oid eq ".1.3.6.1.2.1.1.3.0") || ($oid eq
> "DISMAN-EVENT-MIB::sysUpTimeInstance")) {
> # my $temp = $value;
> # $temp =~ /Timeticks: \(.*?\) (.*)/;
> # $uptime = $oid . " " . $1;
> $uptime = $oid . " " . $value;
> }
> - elsif ($oid eq ".1.3.6.1.6.3.1.1.4.1.0") {
> + elsif (($oid eq ".1.3.6.1.6.3.1.1.4.1.0") || ($oid eq
> "SNMPv2-MIB::snmpTrapOID.0")) {
> # my $temp = $value;
> # $temp =~ /OID: (.*)/;
> # $trapname = $oid . " " . $1;
>
>
> Regards
> Bruce
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and
> Eclipse
> Turn processes into business applications with Bonita BPM
> Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snmptt-users mailing list
> Snm...@li... <javascript:;>
> https://lists.sourceforge.net/lists/listinfo/snmptt-users
>
|
|
From: Jim A. <ji...@ji...> - 2014-07-07 15:04:48
|
Andrew, yes I see the same thing here occasionally - on average about once every two weeks here (but I guess we're handling a lot fewer traps than you are). If your Linux system is at all similar to mine, you should find that snmptrapd writes log output to either /var/log/syslog or /var/log/debug . It might be worth checking those to confirm that snmptrapd has picked up the trap correctly before passing it on to the spool directory for processing by snmptt. If I recall correctly, this happens more so when the system is particularly busy. I put a lot of work in to optimising the Nagios install on our server to bring down CPU load a while ago, which alleviated but didn't entirely eliminate the issue. I would maybe recommend moving the spool directory to a RAM disk to improve performance, but having tried that for Nagios and finding that file locking broke (ymmv), I'm not so sure it would help! Personally I'm just living with the issue for the time being on the principle that SNMP over UDP is never going to be 100% reliable anyway... Cheers, Jim On 7 July 2014 15:19, Darmody, Andrew (ADARMODY) <ADA...@ar...> wrote: > Hello All, > I've been using SNMPTT in daemon mode for the past few months to monitor the SNMP traffic in our network (~100,000 traps a day). I have set up logging to snmptt.log (no database or syslog setup). So far I am very impressed with the speed and ease of use of SNMPTT but there is one problem that I am starting to notice. Right now I have a generic wildcard catch-all OID configured in the trap conf files (EVENT UNKNOWN_TRAP .* "UNKNOWN" UNKNOWN) so that in case we are sent a trap with an OID that isn't configured it will at least be logged into snmptt.log so that our post-processing application can pick it up. In addition, I also have unknown_trap_log_enable = 1 in snmptt.ini for a fallback thinking that nothing should show up in that log file because it should be picked up by the wildcard catch-all OID .* in the conf files. However, over the past few months a handful of traps have been getting logged into the snmpttunknown.log file. Looking into this file 90% of the entries look like this: > > Thu Jan 1 00:00:00 1970: Unknown trap () received from at: > Value 0: > Value 1: > Value 2: > Value 3: > Value 4: > Value 5: > Value 6: > Value 7: > Value 8: > Value 9: > Value 10: > > But a few are look like this (with the 'uptime' field inserted into where the OID should be): > > Thu Jan 1 00:00:00 1970: Unknown trap (0:10:36:50.00) received from 1404339384 at: > Value 0: 1404339384 > Value 1: > Value 2: [172.16.1.132]:60734->[172.16.1.133] > Value 3: 0:10:36:50.00 > Value 4: 172.16.1.132 > Value 5: public > Value 6: .1.3.74.1.10 > Value 7: > Value 8: > Value 9: > Value 10: > Ent Value 0: .1.3.6.1.6.3.1.1.4.1.0=.1.3.74.1.10.0.50003 > Ent Value 1: .1.3.74.1.10.1.3=UL > Ent Value 2: .1.3.74.1.10.1.4=0 > Ent Value 3: .1.3.74.1.10.1.5=0 > > I am also running wireshark on this box and all the traps that SNMPTT treats as 'unknown' are getting received and parsed correctly by wireshark. I am starting to suspect that this could possibly be a race condition between snmptthandler trying to write the trap to the spool directory and SNMPTT coming around in daemon mode to read the spool file before the snmptthandler is completely done writing to the spool directory (and therefore getting an empty or mangled spool file). I'm just trying to gauge everyone's thoughts about this and see if anyone else has encountered the same problem. > > Thank you all! > Andrew > > ------------------------------------------------------------------------------ > Open source business process management suite built on Java and Eclipse > Turn processes into business applications with Bonita BPM Community Edition > Quickly connect people, data, and systems into organized workflows > Winner of BOSSIE, CODIE, OW2 and Gartner awards > http://p.sf.net/sfu/Bonitasoft > _______________________________________________ > Snmptt-users mailing list > Snm...@li... > https://lists.sourceforge.net/lists/listinfo/snmptt-users |
|
From: Darmody, A. (ADARMODY) <ADA...@ar...> - 2014-07-07 14:20:09
|
Hello All, I've been using SNMPTT in daemon mode for the past few months to monitor the SNMP traffic in our network (~100,000 traps a day). I have set up logging to snmptt.log (no database or syslog setup). So far I am very impressed with the speed and ease of use of SNMPTT but there is one problem that I am starting to notice. Right now I have a generic wildcard catch-all OID configured in the trap conf files (EVENT UNKNOWN_TRAP .* "UNKNOWN" UNKNOWN) so that in case we are sent a trap with an OID that isn't configured it will at least be logged into snmptt.log so that our post-processing application can pick it up. In addition, I also have unknown_trap_log_enable = 1 in snmptt.ini for a fallback thinking that nothing should show up in that log file because it should be picked up by the wildcard catch-all OID .* in the conf files. However, over the past few months a handful of traps have been getting logged into the snmpttunknown.log file. Looking into this file 90% of the entries look like this: Thu Jan 1 00:00:00 1970: Unknown trap () received from at: Value 0: Value 1: Value 2: Value 3: Value 4: Value 5: Value 6: Value 7: Value 8: Value 9: Value 10: But a few are look like this (with the 'uptime' field inserted into where the OID should be): Thu Jan 1 00:00:00 1970: Unknown trap (0:10:36:50.00) received from 1404339384 at: Value 0: 1404339384 Value 1: Value 2: [172.16.1.132]:60734->[172.16.1.133] Value 3: 0:10:36:50.00 Value 4: 172.16.1.132 Value 5: public Value 6: .1.3.74.1.10 Value 7: Value 8: Value 9: Value 10: Ent Value 0: .1.3.6.1.6.3.1.1.4.1.0=.1.3.74.1.10.0.50003 Ent Value 1: .1.3.74.1.10.1.3=UL Ent Value 2: .1.3.74.1.10.1.4=0 Ent Value 3: .1.3.74.1.10.1.5=0 I am also running wireshark on this box and all the traps that SNMPTT treats as 'unknown' are getting received and parsed correctly by wireshark. I am starting to suspect that this could possibly be a race condition between snmptthandler trying to write the trap to the spool directory and SNMPTT coming around in daemon mode to read the spool file before the snmptthandler is completely done writing to the spool directory (and therefore getting an empty or mangled spool file). I'm just trying to gauge everyone's thoughts about this and see if anyone else has encountered the same problem. Thank you all! Andrew |
|
From: Eliezer C. <el...@ng...> - 2014-07-07 06:18:06
|
Anyone by any chance monitors ESXi\VCENTER using alarm traps? Eliezer |
|
From: Alex B. <al...@us...> - 2014-07-06 16:24:51
|
Hi Brad.
Do you have this issue when running snmptrapd with the -On switch?
Alex
On Friday, July 4, 2014, Bruce Smith <b.e...@co...> wrote:
> Hi
>
> I've found that sometimes the varbinds for the sysUpTimeInstance and
> snmpTrapOID are delivered from snmptrapd to snmptt in symbolic format
> instead of numeric OID format. A patch for version 1.4 follows:
>
> --- snmptthandler-embedded 2013-11-07 14:38:52.000000000 +1300
> +++ /opt/software/snmptt_1.4/snmptthandler-embedded 2014-04-08
> 19:56:12.753044407 +1200
> @@ -121,13 +121,13 @@
> $value =~ s/^IpAddress: //g;
> $value =~ s/^Timeticks: //g;
>
> - if ($oid eq ".1.3.6.1.2.1.1.3.0") {
> + if (($oid eq ".1.3.6.1.2.1.1.3.0") || ($oid eq
> "DISMAN-EVENT-MIB::sysUpTimeInstance")) {
> # my $temp = $value;
> # $temp =~ /Timeticks: \(.*?\) (.*)/;
> # $uptime = $oid . " " . $1;
> $uptime = $oid . " " . $value;
> }
> - elsif ($oid eq ".1.3.6.1.6.3.1.1.4.1.0") {
> + elsif (($oid eq ".1.3.6.1.6.3.1.1.4.1.0") || ($oid eq
> "SNMPv2-MIB::snmpTrapOID.0")) {
> # my $temp = $value;
> # $temp =~ /OID: (.*)/;
> # $trapname = $oid . " " . $1;
>
>
> Regards
> Bruce
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snmptt-users mailing list
> Snm...@li... <javascript:;>
> https://lists.sourceforge.net/lists/listinfo/snmptt-users
>
|
|
From: Bruce S. <b.e...@co...> - 2014-07-04 06:16:20
|
Hi
I've found that sometimes the varbinds for the sysUpTimeInstance and
snmpTrapOID are delivered from snmptrapd to snmptt in symbolic format
instead of numeric OID format. A patch for version 1.4 follows:
--- snmptthandler-embedded 2013-11-07 14:38:52.000000000 +1300
+++ /opt/software/snmptt_1.4/snmptthandler-embedded 2014-04-08
19:56:12.753044407 +1200
@@ -121,13 +121,13 @@
$value =~ s/^IpAddress: //g;
$value =~ s/^Timeticks: //g;
- if ($oid eq ".1.3.6.1.2.1.1.3.0") {
+ if (($oid eq ".1.3.6.1.2.1.1.3.0") || ($oid eq
"DISMAN-EVENT-MIB::sysUpTimeInstance")) {
# my $temp = $value;
# $temp =~ /Timeticks: \(.*?\) (.*)/;
# $uptime = $oid . " " . $1;
$uptime = $oid . " " . $value;
}
- elsif ($oid eq ".1.3.6.1.6.3.1.1.4.1.0") {
+ elsif (($oid eq ".1.3.6.1.6.3.1.1.4.1.0") || ($oid eq
"SNMPv2-MIB::snmpTrapOID.0")) {
# my $temp = $value;
# $temp =~ /OID: (.*)/;
# $trapname = $oid . " " . $1;
Regards
Bruce
|
|
From: andrewarnier <and...@gm...> - 2014-06-20 08:46:10
|
Hi all, I try to using snmptrap to send a Equipment Failure trap (oid : .1.3.6.1.4.1.3607.6.10.30.0.1660 ) to server, I have define the trap oid in my configuration , but SNMPTT did not translate traps And output to unknown.log , Someone please help me i don't know what to do anymore. ... whats wrong with me? snmptrap -v 1 -c public 192.*.*.* .1.3.6.1.4.1.3607.6.10.30 192.*.*.14 6 1660 15 \ > .1.3.6.1.4.1.3607.6.10.100.10.20.1 s "20080227205807S" \ > .1.3.6.1.4.1.3607.6.10.20.30.20.1.80.4103.220 s "90" \ > .1.3.6.1.4.1.3607.6.10.20.30.20.1.20.4103.220 s "670" \ > .1.3.6.1.4.1.3607.6.10.20.30.20.1.60.4103.220 s "16386" \ > .1.3.6.1.4.1.3607.6.10.20.30.20.1.30.4103.220 s "4" \ > .1.3.6.1.4.1.3607.6.10.20.30.20.1.40.4103.220 s "10" \ > .1.3.6.1.4.1.3607.6.10.20.30.20.1.50.4103.220 s "0" \ > .1.3.6.1.4.1.3607.6.10.20.30.20.1.100.4103.220 s "slot11" Trap translate format : EVENT equipmentFailure .1.3.6.1.4.1.3607.6.10.30.0.1660 "CIS" Critical FORMAT $o $A $8 Equipment Failure MATCH $2:(100|50) SDESC A CIS Equipment Failure Alarm EDESC Unknown log : Fri Jun 20 16:32:23 2014: Unknown trap (.1.3.6.1.4.1.3607.6.10.30.0.1660) received from 192.*.*.* at: Value 0: 192.*.*.* Value 1: 192.*.*.* Value 2: 0:0:00:00.15 Value 3: .1.3.6.1.4.1.3607.6.10.30.0.1660 Value 4: 192.*.*.14 Value 5: public Value 6: .1.3.6.1.4.1.3607.6.10.30 Value 7: Value 8: Value 9: Value 10: Ent Value 0: .1.3.6.1.4.1.3607.6.10.100.10.20.1=20080227205807S Ent Value 1: .1.3.6.1.4.1.3607.6.10.20.30.20.1.80.4103.220=90 Ent Value 2: .1.3.6.1.4.1.3607.6.10.20.30.20.1.20.4103.220=670 Ent Value 3: .1.3.6.1.4.1.3607.6.10.20.30.20.1.60.4103.220=16386 Ent Value 4: .1.3.6.1.4.1.3607.6.10.20.30.20.1.30.4103.220=4 Ent Value 5: .1.3.6.1.4.1.3607.6.10.20.30.20.1.40.4103.220=10 Ent Value 6: .1.3.6.1.4.1.3607.6.10.20.30.20.1.50.4103.220=0 Ent Value 7: .1.3.6.1.4.1.3607.6.10.20.30.20.1.100.4103.220=slot11 Andrew |
|
From: Nicholas S. <sco...@gm...> - 2014-06-13 11:53:36
|
The proper perl libraries are not installed. I'm not sure which steps you followed, but you'll need to install the proper perl libraries, and those commands will vary depending on you distribution. Search through your package manager, something like: apt-cache search inifile | grep perl or yum search perl ini or yum provides '*/IniFiles.pm' Will work, depending on what type of system you are running. However these commands assume you're running a system that uses apt or yum. On Fri, Jun 13, 2014 at 5:46 AM, Covent <c.0...@gm...> wrote: > Hello list, > > I followed all the steps to install snmptt, but I can't run > > This is the error that shows me > > Can't use an undefined value as a symbol reference at > /usr/lib/perl5/vendor_perl/5.16.0/Config/IniFiles.pm line 817, <GEN0> line > 619. > > What am I doing wrong? > > Thanks, > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > Snmptt-users mailing list > Snm...@li... > https://lists.sourceforge.net/lists/listinfo/snmptt-users > |
|
From: Covent <c.0...@gm...> - 2014-06-13 10:46:40
|
Hello list, I followed all the steps to install snmptt, but I can't run This is the error that shows me Can't use an undefined value as a symbol reference at /usr/lib/perl5/vendor_perl/5.16.0/Config/IniFiles.pm line 817, <GEN0> line 619. What am I doing wrong? Thanks, |
9 messages has been excluded from this view by a project administrator.