To receive SNMP Traps from a third party NMS categorized

[parisa]

Hi

I have around 5000 nodes to send SNMP traps to several monitoring server and every nodes has around 20 service for monitoring the node for management the traps, I want to gather them in another monitoring server, for the purpose. I used Nagios XI to make sure it works.
The 5000 nodes send traps to the monitoring systems (SNMP Senders)and they send the traps to Nagios XI (SNMP Receiver), I do configuration on Nagios to receive traps but I faced with some problems:

1) I need to see traps on Nagios XI per node but when a SNMP sender sends trap to Nagios (SNMP Receiver), Nagios only recognize the sender as source of trap (alarm) but I need to categorize the traps based on name of the nodes.

2) when I uploaded related MIB in Nagios XI and then checked SNMPTT.log, I observed to receive all of traps related to several services only with a OID (.1.x.x.x.x.x.x.x.x.x.7.1.0.1), Also I receive trap of fault/recovery of a issue with the same OID.

when I checked configuration snmptt.conf.nxti and content of every received trap, I observed the form for the OID:

Code: Select all

EVENT xEventNotify .1.x.x.x.x.x.x.x.x.x.7.1.0.1 "Status Events" critical
FORMAT Received trap "$N" with variables "$+*"
EXEC php /usr/local/nagiosxi/scripts/nxti.php --event_name="$N" --event_oid="$i" --numeric_oid="$o" --symbolic_oid="$O" --community="$C" --trap_hostname="$R" --trap_ip="$aR" --agent_hostname="$A" --agent_ip="$aA" --category="$c" --severity="$s" --uptime="$T" --datetime="$x $X" --unixtime="$@" --bindings="$+*"
SDESC
Notification for real-time alarm.
Variables:
1: XNodeName
2: XNodeType
3: XObjectInstance
4: XEventType
5: XEventTime
6: XProbableCause
7: XSeverity
8: XEventDetail
9: XAdditionalInfo
10: XFaultFlag
11: XFaultFunction
12: XDeviceIP
13: XSerialNo
14: XProbableRepair
15: XResourceIDs
16: XAdditionalVB1
17: XAdditionalVB2
18: XAdditionalVB3
19: XAdditionalVB4
20: XAdditionalVB5
21: XAdditionalVB6
22: XAdditionalVB7
23: XAdditionalVB8
24: XEventName
25: XReasonID
26: XFaultID
27: XDeviceType
28: XTrailName
29: XRootAlarm
30: XGroupID
31: XMaintainStatus
32: XRootAlarmSerialNo
33: XConfirmStatus
34: XRestoreStatus
EDESC

and the is a sample of received trap in SNMPTT.log:

Code: Select all

Wed Nov 28 15:33:08 2018 .1.x.x.x.x.x.x.x.x.x.7.1.0.1 Normal "Status Events" 10.x.x.23 - Received trap "XEventNotify" with variables "enterprises.x.x.x.7.1.1.0:Node1 enterprises.x.x.x.7.1.2.0:Nodetype1 enterprises.x.x.x.7.1.3.0:source=Object-instance enterprises.x.x.x.7.1.4.0:typ1 enterprises.x.x.x.7.1.5.0:2018/11/28 - 12:02:54Z enterprises.x.x.x.7.1.6.0:\\(1)Cause1;\\(2)Cause2;\\(3)Cause3. enterprises.x.x.x.7.1.7.0:Critical enterprises.x.x.x.7.1.8.0:detail enterprises.x.x.x.7.1.9.0: additional info enterprises.x.x.x.7.1.10.0:Recovery enterprises.x.x.x.7.1.11.0:type enterprises.x.x.x.7.1.12.0:0.0.0.0 enterprises.x.x.x.7.1.13.0:12579266 enterprises.x.x.x.7.1.14.0: enterprises.2011.2.15.1.7.1.15.0:3147990.-1.6.1.50.1.-1.-1 enterprises.x.x.x.7.1.24.0:Alarm-1 enterprises.x.x.x.7.1.25.0:235 enterprises.x.x.x.7.1.26.0:235 enterprises.x.x.x.7.1.27.0:1955 enterprises.x.x.x.7.1.28.0: enterprises.x.x.x.7.1.29.0:0 enterprises.x.x.x.7.1.30.0:268374017 enterprises.x.x.x.7.1.31.0:0 enterprises.x.x.x.7.1.32.0:"

Actually the trap have 34 variables to pass various output based a fault. For example Node-Name is shown by variable# enterprises.x.x.x.7.1.1.0 and Service-Name is shown by variable# enterprises.x.x.x.7.1.24.0 and fault/recovery type of a trap is shown by variable# enterprises.x.x.x.7.1.10.0 (these are name of the variables).

Are there any solution to solve the problems? would any one help me in the regard?

[ssax]

It sound like the traps are coming to a trap forwarder and then passed on to the Nagios server but you will want to use the original IP address of the sender.

To to that, you will have to edit the EXEC line and replace the $r with $aA which is the Trap agent IP address. This will work as long as the forwarder and the agent sends the IP address.

Code: Select all

EXEC /usr/local/bin/snmptraphandling.py "$aA" "SNMP Traps" "$s" "$@" "$-*" "The SNMP trap that is generated as a result of an event with the service $*"

See this page under the FORMAT: section that talks about the Variables and their meanings:

http://snmptt.sourceforge.net/docs/snmp ... ONF-FORMAT

[parisa]

@ssax Thank you for your answer

Exactly the traps are coming to a trap forwarder and then passed on to the Nagios server but you will want to use the original IP address of the sender.
when I use "$aA" or $A , it gives IP of the sender "10.x.x.23" not IP or Name of the host, but I see node-name in received trap in SNMPTT.log as output of a variable ( XNEName or enterprises.x.x.x.x.7.1.1.0)

Also I don't use "SNMP Trap" as a service because I have more than 12 services for every host that should monitor them as passive check, actually I have created a separate service for each alarm types in XI. (the alarm name is shown output of variable " XEventName or enterprises.x.x.x.x.7.1.24.0" in received traps in SNMPTT.log

[ssax]

You should be able to use $1, $2, $3, etc to access the data in the enterprise vars instead of $aA, try that and let us know if that works for you.

[parisa]

Thanks for your help
It worked, I have used $1 , $2, ... and $N , $aA ,... together because it couldn't recognize some variables.
for example, S24 is not recognized as Event-Name , I used $N instead of it.

I have defined trap for every service , in below is a sample of it:

Code: Select all

EVENT Alarm_1 .1.x.x.x.x.x.x.x.x.x.7.1.0.1 "XEventNotify" Critical
FORMAT Received trap "$N" with variables "$+*"
EXEC EXEC /usr/local/bin/snmptraphandling.py "$0" "Alarm_1" "$6" "$4" "$-*" "The SNMP trap that is generated as a result of an event with the service $*"  MATCH $9:Fault
SDESC
The Trap is related to ETH_LOS Alarm
EDESC

I have another question, How can I use MATCH statement several times in a trap definition?
for example, I want to use it for "XFaultFlag" and "XEventName", are below lines correct?
MATCH $9: xxx
MATCH $23:yyy
and does Nagios check both of the conditions ? actually I want "AND or OR" of the conditions ?

[ssax]

From the documentation:

If no MATCH MODE= line exists, it defaults to 'or'.

So if you added those both to the trap definition it would match if $9 matched OR if $23 matched.

Code: Select all

MATCH $9: xxx
MATCH $23: yyy

If you wanted them both to match (require $9 to match AND $23 to match) you would use:

Code: Select all

MATCH MODE=and
MATCH $9: xxx
MATCH $23: yyy

[parisa]

When I added match statement in "Additional Raw Data" of Add a Trap Definition by GUI (NXTI), I have to use Enter key to define several Match statement, snmptt.conf.nxti is configured as below:

Code: Select all

EVENT Alarm_1 .1.x.x.x.x.x.x.x.x.1.7.1.0.1 "XEventNotify" Critical
FORMAT Received trap "$N" with variables "$+*"
EXEC php /usr/local/nagiosxi/scripts/nxti.php --event_name="$N"  --event_oid="$i" --numeric_oid="$o" --symbolic_oid="$O" --community="$C" --trap_hostname="$R" --trap_ip="$aR" --agent_hostname="$A" --agent_ip="$aA" --category="$c" --severity="$s" --uptime="$T" --datetime="$x $X" --unixtime="$@" --bindings="$+*"
EXEC /usr/local/bin/snmptraphandling.py "$0" "Alarm_1" "$s" "$@" "" "Received trap from Host: $1 with Alarm: $N at Time: $5 with severity: $7 and Category: $10"
EXEC /usr/local/bin/snmptraphandling.py "$0" "Alarm_1" "$s" "$@" "$-*" "The SNMP trap that is generated as a result of an event with the service $*" 
MATCH $9:Fault^M
MATCH $N:Alarm_1^M
MATCH MODE=and

^M" is added when I press Enter key.( even it don't work as follow: MATCH $9:Fault MATCH $N:Alarm_1 MATCH MODE=and )
And now I'm not able to delete it ( MATCH statemnets) via GUI.

Would you please tell me How I can use snmptt.conf instead of snmptt.conf.nxti to be able edit traps as hand-edit.
when upload MIB by SNMPTT (not SNMP Trap Interface), there is "This trap definition is being managed by NXTI" on top of each trap. and when define trap in SNMPTT.conf , the trap don't work.

Thnaks

[ssax]

Try doing this:

Code: Select all

yum install dos2unix
dos2unix /etc/snmp/snmptt.conf.nxti

Then try to remove the match statements from the web interface and it should work, it works on mine this way with windows line endings.

Are you copying and pasting the match statements or are you just typing and then hitting enter? Meaning are you copy and pasting the first line, then hit enter, copy and paste the second line, then enter and so on OR are you just copying and pasting all three match statements into there and the windows line endings show up?

[parisa]

Thank you for your answer
Once I type a line and press enter after that type another line, next time I copy the match statements from another place and I past them here and last time, I try copy and past them line by line after every line press enter.
I faced with a problem for whole ways.
without enter, I could not to go next line.

Also I had dos2unix before:

Code: Select all

[root@localhost ~]# dos2unix /etc/snmp/snmptt.conf.nxti
dos2unix: converting file /etc/snmp/snmptt.conf.nxti to Unix format ...

I have the same problem again.

Would you please tell me How I can use snmptt.conf instead of snmptt.conf.nxti, when upload MIB by SNMPTT (not SNMP Trap Interface), there is "This trap definition is being managed by NXTI" on top of each trap. and when define trap in SNMPTT.conf , the trap don't work.

[ssax]

Please go to Admin > Manage Components and let me know the version number listed next to SNMP Trap Interface (NXTI).