SOPHOS UTM 9.3 SNMP trap

kelti · Post by **kelti** » Wed Oct 21, 2015 9:02 pm

Hi All,

We have a SOPHOS UTM 9.3 that we would like to monitor using SNMP trap. SOPHOS is providing the ASTARO-MIB.txt
We have a Nagios XI 2014r2.7-64 virtual machine.

We have added and processed the MIB with success.
We are able to receive the traps but they are going to snmpttunknown.log traps.

Anyone with similar encounter? Thank you in advance for any advice.

Post by **tgriep** » Thu Oct 22, 2015 3:03 pm

Can you post your /etc/snmp/snmptt.conf file and the log entries that are showing up in the snmpttunknown.log file?
A quick thing to try is to restart the snmptt daemon. Try that to see if that resolves the issue.

Code: Select all

service snmptt restart

kelti · Post by **kelti** » Thu Oct 22, 2015 8:36 pm

Hi,

Thanks.

Code: Select all

Thu Oct 22 13:57:50 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:1:55:14.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.5=[utm][INFO][005]


Thu Oct 22 14:06:02 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:2:03:21.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.154=[utm][INFO][154]


Thu Oct 22 14:06:07 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:2:03:21.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.154=[utm][INFO][154]

Post by **tgriep** » Fri Oct 23, 2015 12:05 pm

Edit /etc/snmp/snmptt.conf and change this from

Code: Select all

EVENT INFO-005 .1.3.6.1.4.1.9789.1500.1.5 "Status Events" Critical

to

Code: Select all

EVENT INFO-005 .1.3.6.1.4.1.9789.1500 "Status Events" Critical

Save it out and restart snmptt

Code: Select all

service snmptt restart

For some reason, it looks like your device isn't sending the full OID. If it doesn't match, it will not get processed and it will go in to the unknown log.

Generate a TRAP and look in the Unconfigured Objects in XI and is should show up there to be configured.

kelti · Post by **kelti** » Sun Oct 25, 2015 10:17 pm

Hi,

I generated a failed web login but it does not show in the unconfigured objects. It went to snmpttunknown.log

This is what it shows up in my trap viewer. *attached jpg file

Code: Select all

Mon Oct 26 11:03:40 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:0:25:15.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.2.5=[utm][WARN][005]

Post by **Box293** » Sun Oct 25, 2015 11:10 pm

tgriep wrote:Edit /etc/snmp/snmptt.conf and change this from
Code: Select all
EVENT INFO-005 .1.3.6.1.4.1.9789.1500.1.5 "Status Events" Critical
to
Code: Select all
EVENT INFO-005 .1.3.6.1.4.1.9789.1500 "Status Events" Critical
Save it out and restart snmptt
Code: Select all
service snmptt restart
For some reason, it looks like your device isn't sending the full OID. If it doesn't match, it will not get processed and it will go in to the unknown log.

Generate a TRAP and look in the Unconfigured Objects in XI and is should show up there to be configured.

Try

Code: Select all

EVENT INFO-005 .1.3.6.1.4.1.9789.1500.* "Status Events" Critical

Save it out and restart snmptt

Code: Select all

service snmptt restart

kelti · Post by **kelti** » Mon Oct 26, 2015 10:29 pm

Hi,
I edited two OIDs and managed to see both of them surfaced at snmptt.log
I simulated a failed web login and Nagios did displayed the 'Failed WebAdmin' trap but not the 'System was restarted' trap after i restarted the utm.

Thanks.

Code: Select all

EVENT info-000 .1.3.6.1.4.1.9789.1500 "Status Events" Warning
FORMAT System was restarted $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "System was restarted $*"
SDESC
System was restarted
Variables:
EDESC
#
EVENT warn-005 .1.3.6.1.4.1.9789.1500 "Status Events" Critical
FORMAT Failed WebAdmin login $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "Failed WebAdmin login $*"
SDESC
Failed WebAdmin login
Variables:
EDESC

Code: Select all

Tue Oct 27 10:50:06 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][WARN][005]
Tue Oct 27 10:50:06 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][WARN][005]
Tue Oct 27 10:52:27 2015 .1.3.6.1.4.1.9789.1500 Warning "Status Events" 10.0.0.61 - System was restarted [utm][INFO][007]
Tue Oct 27 10:52:27 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][INFO][007]
Tue Oct 27 10:52:27 2015 .1.3.6.1.4.1.9789.1500 Warning "Status Events" 10.0.0.61 - System was restarted [utm][INFO][007]
Tue Oct 27 10:52:27 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][INFO][007]
Tue Oct 27 10:53:56 2015 .1.3.6.1.4.1.9789.1500 Warning "Status Events" 10.0.0.61 - System was restarted [utm][INFO][000]
Tue Oct 27 10:53:56 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][INFO][000]
Tue Oct 27 10:53:56 2015 .1.3.6.1.4.1.9789.1500 Warning "Status Events" 10.0.0.61 - System was restarted [utm][INFO][000]
Tue Oct 27 10:53:56 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][INFO][000]

Post by **Box293** » Tue Oct 27, 2015 12:56 am

What is happening is that both events are being captured as they are both for the same OID:

Code: Select all

EVENT info-000 .1.3.6.1.4.1.9789.1500 "Status Events" Warning
EVENT warn-005 .1.3.6.1.4.1.9789.1500 "Status Events" Critical

Both are submitted to Nagios however the second one is overriding the first once, hence why you only see one in Nagios, the most recent one.

Your biggest problem is that you are receiving different traps on the same OID .1.3.6.1.4.1.9789.1500.

kelti wrote:

Code: Select all

Thu Oct 22 13:57:50 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:1:55:14.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.5=[utm][INFO][005]


Thu Oct 22 14:06:02 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:2:03:21.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.154=[utm][INFO][154]


Thu Oct 22 14:06:07 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:2:03:21.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.154=[utm][INFO][154]

You may need to contact the manufacturer to find out why they traps come in this way, as they were originally correctly defined in the snmptt.conf file you supplied previously. They should come in with OID's like:
.1.3.6.1.4.1.9789.1500.2.25
.1.3.6.1.4.1.9789.1500.2.856

The fact they stop at 1500 is strange.

Nagios Support Forum

SOPHOS UTM 9.3 SNMP trap

SOPHOS UTM 9.3 SNMP trap

Re: SOPHOS UTM 9.3 SNMP trap

Re: SOPHOS UTM 9.3 SNMP trap

Re: SOPHOS UTM 9.3 SNMP trap

Re: SOPHOS UTM 9.3 SNMP trap

Re: SOPHOS UTM 9.3 SNMP trap

Re: SOPHOS UTM 9.3 SNMP trap

Re: SOPHOS UTM 9.3 SNMP trap