SNMP Trap monitoring not working

[paltel]

Hello ,

I have traps coming from certain router using both V2 and V3 Traps , I can see them in tcpdump :

15:08:51.900168 IP 172.17.3.163.54022 > 172.19.2.65.162: F=a U=xxxxx E= 0x800x000x000x090x030x000x000x1B0x530x500x270xB8 C= V2Trap(128) .1.3.6.1.2.1.1.3.0=1677238464 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.6.3.1.1.5.5 .1.3.6.1.4.1.9.2.1.5.0=10.102.4.220 .1.3.6.1.4.1.9.9.412.1.1.1.0=1 .1.3.6.1.4.1.9.9.412.1.1.2.0="10.102.4.220"
15:08:52.155178 IP 172.17.3.163.54022 > 172.19.2.65.162: C=xxxxxxxx V2Trap(128) .1.3.6.1.2.1.1.3.0=1677238464 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.6.3.1.1.5.5 .1.3.6.1.4.1.9.2.1.5.0=10.102.4.220 .1.3.6.1.4.1.9.9.412.1.1.1.0=1 .1.3.6.1.4.1.9.9.412.1.1.2.0="10.102.4.220"

also have snmptt running but nothing being translated to xi .

Please help .

in the archive attached :
- snmpd.conf
- snmptrapd.conf
- snmptt.conf
- snmptt.ini
- service screenshot

[tgriep]

In the XI GUI, can you go in to Admin > Unconfigured Objects and see it they are there?
Also, can you check the unknown log on the XI server to see if they are there?
Take a look at /var/log/snmptt/snmpttunknown.log to see if they show up there.

[paltel]

Hello ,

Nothing in unconfigured objects , nothing in snmpttunknown.log , both empty

[gormank]

Have a look in /var/log/snmptrapd.log and /var/log/snmptt.log. If nothing's in snmptrapd.log look at that, otherwise look at snmptt.

Do you have a service defined on the hosts sending traps that has "SNMP Traps" as the description? For some reason, that has to be the description.

[tgriep]

Thanks gormank, another place to look for any errors is the following folder.

Code: Select all

/var/spool/snmptt/

[paltel]

Hello ,

Thanks you all , I cleaned snmptt spool and it was solved , it was containing thousands of things .

but snmptt is not translating v3 traps , only v2 , can we do any fix ?

Thanks

[DigNetwerk]

+1 for v3 traps. We are using SNMPv3 more and more.

[ssax]

You need to configure snmptrapd to accept SNMPv3 traps or informs, add something like this to the bottom of your /etc/snmp/snmptrapd.conf:

For SNMPv3 informs:

Code: Select all

createUser snmpv3informuser SHA 'authpass' AES 'privpass'
authUser log,execute,net snmpv3informuser

Now restart snmptrapd:

Code: Select all

service snmptrapd restart

You can then test it out from the command line and you should see it show up in /var/log/messages:

Code: Select all

snmpinform -v 3 -u snmpv3informuser -a SHA -A authpass -x AES -X privpass -l authPriv localhost 42 coldStart

For SNMPv3 traps:

Code: Select all

createUser -e 0x8000000001020304 snmpv3trapuser SHA 'authpass' AES 'privpass'
authUser log,execute,net snmpv3trapuser

Now restart snmptrapd:

Code: Select all

service snmptrapd restart

You can then test it out from the command line and you should see it show up in /var/log/messages:

Code: Select all

snmptrap -v 3 -n "" -a SHA -A 'authpass' -x AES -X 'privpass' -l authPriv -u snmpv3trapuser -e 0x8000000001020304 localhost 0 coldStart

Taken and adjusted from here:
- Read here for more information but you should only put any configuration in /etc/snmp/snmptrapd.conf (ignore the files listed in the guide).

http://www.net-snmp.org/wiki/index.php/ ... ifications

[gormank]

Hmm, now I remember that there's a change needed to the nagios init script if snmptt is used. The snmptt service stops working when the nagios service is restarted, so snmptt needs to be restarted with the nagios service.

Otherwise, the spool dir fills with traps as the OP described. Restarting snmptt allows it to process the files so no need to delete them. Or this is my experience.

[ssax]

@gormank, that shouldn't be the case, actually.. what do you have set for mode at the top of your /etc/snmp/snmptt.ini?