SNMP Traps

[ssax]

Please read and follow this guide (including running the shell script), I know it's for XI but it should install and setup traps properly, the information is very relavent:

https://assets.nagios.com/downloads/nag ... ios_XI.pdf


Then blank out your /etc/snmp/snmptt.conf file and then run the addmib command against your MIBs:

Code: Select all

addmib /usr/share/snmp/mibs/YOURMIBFILE
addmib /usr/share/snmp/mibs/YOUROTHERMIBFILE

Then restart snmptt (you need to do this after every snmptt.conf change):

Code: Select all

service snmptt restart

Let us know the results after testing and include all logs from /var/log/snmptt after submitting multiple traps. Also, please include your /etc/snmp/snmptt.conf file after you've done all of the above.

--

I'll include this additional information here to help you out:

This is the general flow of how SNMP traps work:

Device -> Nagios Server -> snmptrapd -> snmptt -> Nagios Service

Here's how it works in greater detail:

1. The device sends a SNMP trap with say an OID of .1.3.6.1.6.3.1.1.5.1 to the Nagios XI server.

2. The snmptrapd service receives the trap and then runs the default handler for traps (in this case SNMPTT)
- Taken from /etc/snmp/snmptrapd.conf

Code: Select all

traphandle default /usr/sbin/snmptthandler

3. SNMPTT reads the trap and does some processing on it based on it's configuration (translate IP of sender into DNS name, strip domain, all configurable in /etc/snmp/snmptt.ini).

4. SNMPTT doesn't know anything about the traps in your MIB files, the MIB files on the system are just used for translation from .1.3.6.1.6.3.1.1.5.1 into coldStart. You need to process the MIB file that contains your traps to get them into the /etc/snmp/snmptt.conf file which SNMPTT reads to match against to see if it should do anything with it (.1.3.6.1.6.3.1.1.5.1).

5. Since you've run addmib on the MIB file containing your traps (in this case /usr/share/snmp/mibs/SNMPv2-MIB.txt) it processes the trap and puts it into a format SNMPTT understands and changes the EXEC line (see below) to execute the snmptraphandling.py script (that's what puts it into Nagios).

Code: Select all

EVENT coldStart .1.3.6.1.6.3.1.1.5.1 "Status Events" Normal
FORMAT A coldStart trap signifies that the SNMP entity, $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "A coldStart trap signifies that the SNMP entity, $*"
SDESC
A coldStart trap signifies that the SNMP entity,
supporting a notification originator application, is
reinitializing itself and that its configuration may
have been altered.
Variables:
EDESC

So SNMPTT says "Hey, I received a trap with OID .1.3.6.1.6.3.1.1.5.1, do I know anything about it? Let me check my /etc/snmp/snmptt.conf file. Oh, I see it matches the coldStart event (from above), I will run this EXEC line now (which happens to put it into Nagios)."

You can read more about SNMPTT and what those lines mean (and how you can change them if you want) here:

http://snmptt.sourceforge.net/docs/snmptt.shtml

Please see here for advanced reading:

https://support.nagios.com/kb/article.php?id=232
https://support.nagios.com/kb/article.php?id=559
https://support.nagios.com/kb/article.php?id=77
https://support.nagios.com/kb/article.php?id=493
https://support.nagios.com/kb/article.php?id=558


Thank you

[orani]

No errors at the procedure

[orani]

No errors at the procedure

[ssax]

The reason that they are going into the snmpttunknown.log is because you are using an older Fortinet MIB that doesn't contain the OIDs that are being sent, please download and use the Fortinet MIBs from the attachment, you will need to remove the entries that were put in there before.

Let us know the results.


Thank you

[orani]

My test are not from fortigate but from fujitsu servers

[ssax]

Ok, you still have traps coming in that require those updated MIBs though, it's up to you whether you want them to be understood by XI.

Please send me the output of these commands:

Code: Select all

ls -ld /var/spool/snmptt
ls -ld /var/spool/snmptt

Run this tail command (and let it run):

Code: Select all

tail -f /var/log/messages /var/log/snmptt/*.log

Then force a few traps to be sent and let me know which ones are the proper ones and which SNMPTT logs they go into.


Thank you

[orani]

Code: Select all

[root@telematics ~]# ls -ld /var/spool/snmptt
drwxrwxr-x 2 snmptt snmptt 4096 Jan 30 19:53 /var/spool/snmptt

When i run

Code: Select all

tail -f /var/log/messages /var/log/snmptt/*.log

and send some test traps from the server (10.0.5.12), the traps are caught but as an unknown trap (see below)

Code: Select all

==> /var/log/snmptt/snmpttunknown.log <==
Mon Jan 30 19:58:28 2017: Unknown trap (.1.3.6.1.4.1.231.2.10.2.2.10.20.0.2000) received from 10.0.5.12 at: 
Value 0: 10.0.5.12
Value 1: 10.0.5.12
Value 2: 4:16:38:48.52
Value 3: .1.3.6.1.4.1.231.2.10.2.2.10.20.0.2000
Value 4: 10.0.5.12
Value 5: 
Value 6: .1.3.6.1.4.1.231.2.10.2.2.10.20
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.231.2.10.2.2.10.20.1.1.0=iRMC47B4FD
Ent Value 1: .1.3.6.1.4.1.231.2.10.2.2.10.20.1.2.0=0

This is happening because the system does not recognize the mib of the system that trap was sent from?

[ssax]

It looks like that OID is from FSC-SERVERCONTROL2-MIB or from SC2-MIB, do you have those Fujitsu MIBs? I was unable to find them, you will need to reach out to Fujitsu support if you do not have the proper MIB files.


Thank you

[orani]

ok i found those mibs so i will import them to nagios server and test the traps tommorow. i will get back to you soon

[dwhitfield]

Sounds good. Support starts 9am US Central time tomorrow (we've got a couple more hours today if you can get to it today).