SNMP Traps

[Envera IT]

I think I found the issue. The settings in the snmptrapd.conf file are incorrect to they are not getting passed from the snmptrapd daemon to the snmptt daemon correctly.
Can you edit the /etc/snmp/snmptrapd.conf file
Delete the following line

Code: Select all

traphandle default /usr/local/bin/snmptraphandling.py

and uncomment the following line
#traphandle default /usr/sbin/snmptthandler

Save the file and restart the snmptrapd daemon by running the following

Code: Select all

service snmptrapd restart

Try that and see if this works for you.

This worked. Once I set that I started getting unknown traps, the MIB browser I'm using shows the OID as .1.3.6.1.4.1.1418.4.5 but it was received as .1.3.6.1.4.1.1418.4.0.5. Modified the snmptt.conf file entry for that OID and tried ugain, still had it show up in unknown so I compared snmptt.ini on the test server and the production server and found that dns_enable was set to 0 instead of 1 on the production server. Fixed that, restarted the snmptt service and had traps coming in.

Thanks guys, I must have changed these settings when I was troubleshooting long ago. Appreciate the help as always.

[tgriep]

That is good to hear that it is working for you. Shall we close and lock the post then?

[Envera IT]

That is good to hear that it is working for you. Shall we close and lock the post then?

One more question here, more related to snmptt I imagine. The traps show up as this in Nagios' UI. Hopefully you guys can point me in the right direction here.

Outlet State Change: Outlet7 Changed State to 2 / enterprises.1418.4.3.1.2.6 ():Outlet7 enterprises.1418.4.3.1.3.6 ():2

I've been looking through the snmptt documentation and think I need to modify either the EXEC or FORMAT lines, but I'm not seeing why

/ enterprises.1418.4.3.1.2.6 ():Outlet7 enterprises.1418.4.3.1.3.6 ():2

is being shown, ideally I'd just get the symbolic form of the trap without any further details. Also it looks like the state variable isn't being translated, snmptt debug log shows the following.

Raw trap passed from snmptrapd:
1466774171
some-hostname
UDP: [192.168.242.50]:161->[10.0.1.161]
.1.3.6.1.2.1.1.3.0 1:16:59:34.85
.1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.1418.4.0.5
.1.3.6.1.4.1.1418.4.3.1.2.6 "Outlet7"
.1.3.6.1.4.1.1418.4.3.1.3.6 1
.1.3.6.1.6.3.18.1.3.0 192.168.242.50
.1.3.6.1.6.3.18.1.4.0 "community"
.1.3.6.1.6.3.1.1.4.3.0 .1.3.6.1.4.1.1418.4

Items passed from snmptrapd:
value 0: some-hostname

value 1: 192.168.242.50

value 2: .1.3.6.1.2.1.1.3.0

value 3: 1:16:59:34.85

value 4: .1.3.6.1.6.3.1.1.4.1.0

value 5: .1.3.6.1.4.1.1418.4.0.5

value 6: .1.3.6.1.4.1.1418.4.3.1.2.6

value 7: Outlet7

value 8: .1.3.6.1.4.1.1418.4.3.1.3.6

value 9: 1

value 10: .1.3.6.1.6.3.18.1.3.0

value 11: 192.168.242.50

value 12: .1.3.6.1.6.3.18.1.4.0

value 13: community

value 14: .1.3.6.1.6.3.1.1.4.3.0

value 15: .1.3.6.1.4.1.1418.4

Agent IP address (192.168.242.50) is the same as the host IP, so copying the host name: some-hostname
Trap received from some-hostname: .1.3.6.1.4.1.1418.4.0.5
0: hostname
1: ip address
2: uptime
3: trapname / OID
4: ip address from trap agent
5: trap community string
6: enterprise
7: securityEngineID (snmptthandler-embedded required)
8: securityName (snmptthandler-embedded required)
9: contextEngineID (snmptthandler-embedded required)
10: contextName (snmptthandler-embedded required)
0+: passed variables

Value 0: some-hostname

Value 1: 192.168.242.50

Value 2: 1:16:59:34.85

Value 3: .1.3.6.1.4.1.1418.4.0.5

Value 4: 192.168.242.50

Value 5: community

Value 6: .1.3.6.1.4.1.1418.4

Value 7:

Value 8:

Value 9:

Value 10:

Agent dns name: some-hostname

Ent Value 0 ($1): .1.3.6.1.4.1.1418.4.3.1.2.6=Outlet7

Ent Value 1 ($2): .1.3.6.1.4.1.1418.4.3.1.3.6=1

Exact match of trap found in EVENT hash table

Working with EVENT entry: .1.3.6.1.4.1.1418.4.0.5 => outletChange,Status Events,Critical,
No nodes defined for this entry so all nodes will match
No MATCH entries defined for this entry

Trap defined, processing...



PREEXEC line(s):


FORMAT line:

OID of trap: .1.3.6.1.4.1.1418.4.0.5. Will attempt to translate to text
Translated to enterprises.1418.4.0.5

OID of enterprise: .1.3.6.1.4.1.1418.4. Will attempt to translate to text
Translated to enterprises.1418.4

Variable .1.3.6.1.4.1.1418.4.3.1.3.6 with value 1
Value does not appear to contain an OID
Value is numerical
Value is NOT defined as an INTEGER or Integer32 in the mib

Variable .1.3.6.1.4.1.1418.4.3.1.2.6 with value Outlet7
Value does not appear to contain an OID

OID of received trap: .1.3.6.1.4.1.1418.4.0.5. Will attempt to translate to text
Translated to enterprises.1418.4.0.5
Outlet7 1

enterprises.1418.4.0.5 Critical "Status Events" some-hostname - Outlet7 1


EXEC line(s):

Variable .1.3.6.1.4.1.1418.4.3.1.3.6 with value 1
Value does not appear to contain an OID
Value is numerical
Value is NOT defined as an INTEGER or Integer32 in the mib

Variable .1.3.6.1.4.1.1418.4.3.1.2.6 with value Outlet7
Value does not appear to contain an OID

OID of received trap: .1.3.6.1.4.1.1418.4.0.5. Will attempt to translate to text
Translated to enterprises.1418.4.0.5
EXEC command:/usr/local/bin/snmptraphandling.py "some-hostname" "SNMP Traps" "Critical" "1466774171" "enterprises.1418.4.3.1.2.6 ():Outlet7 enterprises.1418.4.3.1.3.6 ():1" "Outlet State Change: $
Sleeping for 5 seconds

Relevant (I think) part of snmptt.ini

# Configures how OIDs contained in the VALUE of the variable bindings are handled.
# This only applies to the values for $n, $+n, $-n, $vn, $+*, $-*. For substitutions
# that include variable NAMES ($+n etc), only the variable VALUE is affected.
# Set to 0 to disable translating OID values to text (symbolic form)
# Set to 1 to translate OID values to short text (symbolic form) (eg: BuildingAlarm)
# Set to 2 to translate OID values to short text with module name (eg: UPS-MIB::BuildingAlarm)
# Set to 3 to translate OID values to long text (eg: iso...upsAlarm.BuildingAlarm)
# Set to 4 to translate OID values to long text with module name (eg:
# UPS-MIB::iso...upsAlarm.BuildingAlarm)
# For example, if the value contained: 'A UPS Alarm (.1.3.6.1.4.1.534.1.7.12) has cleared.',
# it could be translated to: 'A UPS Alarm (UPS-MIB::BuildingAlarm) has cleared.'
# Note: net_snmp_perl_enable *must* be enabled
translate_value_oids = 1

# Configures how the symbolic enterprise OID will be displayed for $E.
# Set to 1, 2, 3 or 4. See translate_value_oids options 1,2,3 and 4.
# Note: net_snmp_perl_enable *must* be enabled
translate_enterprise_oid_format = 1

# Configures how the symbolic trap OID will be displayed for $O.
# Set to 1, 2, 3 or 4. See translate_value_oids options 1,2,3 and 4.
# Note: net_snmp_perl_enable *must* be enabled
translate_trap_oid_format = 1

# Configures how the symbolic trap OID will be displayed for $v, $-n, $+n, $-* and $+*.
# Set to 1, 2, 3 or 4. See translate_value_oids options 1,2,3 and 4.
# Note: net_snmp_perl_enable *must* be enabled
translate_varname_oid_format = 1

# Set to 0 to disable converting INTEGER values to enumeration tags as defined in the
# MIB files
# Set to 1 to enable converting INTEGER values to enumeration tags as defined in the
# MIB files
# Example: moverDoorState:open instead of moverDoorState:2
# Note: net_snmp_perl_enable *must* be enabled
translate_integers = 1

# Allows you to set the MIBS environment variable used by SNMPTT
# Leave blank or comment out to have the systems enviroment settings used
# To have all MIBS processed, set to ALL
# See the snmp.conf manual page for more info
#mibs_environment = ALL

[Box293]

I've been looking through the snmptt documentation and think I need to modify either the EXEC or FORMAT lines, but I'm not seeing why

It's the EXEC line.

Some of what I am explaining is in this SNMP Trap guide I previously posted a link to.

https://support.nagios.com/kb/article.php?id=77

Under the section "Sending Traps To Nagios XI":

Here is an example EXEC line:

Code: Select all

/usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "The SNMP trap that is generated as a result of an event with the service $*"

SNMPTT is using the script /usr/local/bin/snmptraphandling.py which sends PASSIVE check results to the Nagios command pipe. It requires the following arguments:

<HOST> <SERVICE> <SEVERITY> <TIME> <PERFDATA> <DATA>

<PERFDATA> = "$-*"

$-* means it will expand all the variables (OBJECTS) that were sent with the trap in the format of "variable name (variable type):value"

nSvcHostname (OCTETSTR):CentOS nSvcDesc (OCTETSTR):Users nSvcStateID (INTEGER):0 nSvcOutput (OCTETSTR):USERS OK - 0 users currently logged in

<DATA> = "The SNMP trap that is generated as a result of an event with the service $*"

$* means it will expand all the variables (OBJECTS) that were sent with the trap (exactly the same as the FORMAT line)


Personally, when it comes to SNMP Traps I don't see the need for performance data. So in the EXEC line, instead of "$-*" you can supply nothing in the quotes "" and it will get rid of / enterprises.1418.4.3.1.2.6 ():Outlet7 enterprises.1418.4.3.1.3.6 ():2

YOU MUST have the empty "" as there needs to be something passed to the script for <PERFDATA> (even an empty value).

ideally I'd just get the symbolic form of the trap without any further details. Also it looks like the state variable isn't being translated, snmptt debug log shows the following.

In the /etc/snmp/snmptt.ini try uncommenting this line out:

Code: Select all

#mibs_environment = ALL

Then restart the snmptt service.

Also, I don't know what your EXEC line is, but instead of $* or $7 try $+* or $+7

http://snmptt.sourceforge.net/docs/snmp ... ONF-FORMAT

Does this help?

[Envera IT]

I've been looking through the snmptt documentation and think I need to modify either the EXEC or FORMAT lines, but I'm not seeing why

It's the EXEC line.

Some of what I am explaining is in this SNMP Trap guide I previously posted a link to.

https://support.nagios.com/kb/article.php?id=77

Under the section "Sending Traps To Nagios XI":

Here is an example EXEC line:

Code: Select all

/usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "The SNMP trap that is generated as a result of an event with the service $*"

SNMPTT is using the script /usr/local/bin/snmptraphandling.py which sends PASSIVE check results to the Nagios command pipe. It requires the following arguments:

<HOST> <SERVICE> <SEVERITY> <TIME> <PERFDATA> <DATA>

<PERFDATA> = "$-*"

$-* means it will expand all the variables (OBJECTS) that were sent with the trap in the format of "variable name (variable type):value"

nSvcHostname (OCTETSTR):CentOS nSvcDesc (OCTETSTR):Users nSvcStateID (INTEGER):0 nSvcOutput (OCTETSTR):USERS OK - 0 users currently logged in

<DATA> = "The SNMP trap that is generated as a result of an event with the service $*"

$* means it will expand all the variables (OBJECTS) that were sent with the trap (exactly the same as the FORMAT line)


Personally, when it comes to SNMP Traps I don't see the need for performance data. So in the EXEC line, instead of "$-*" you can supply nothing in the quotes "" and it will get rid of / enterprises.1418.4.3.1.2.6 ():Outlet7 enterprises.1418.4.3.1.3.6 ():2

YOU MUST have the empty "" as there needs to be something passed to the script for <PERFDATA> (even an empty value).

ideally I'd just get the symbolic form of the trap without any further details. Also it looks like the state variable isn't being translated, snmptt debug log shows the following.

In the /etc/snmp/snmptt.ini try uncommenting this line out:

Code: Select all

#mibs_environment = ALL

Then restart the snmptt service.

Also, I don't know what your EXEC line is, but instead of $* or $7 try $+* or $+7

http://snmptt.sourceforge.net/docs/snmp ... ONF-FORMAT

Does this help?

Yes that makes it clear and is likely all I need to move this forward. Thank you for your help, the above guide is very good and overall I'm loving the new knowledge base. Thanks for your help, feel free to close this out.

[mcapra]

Closing this