SNMP trap translation

[jsmurphy]

I've been trying to improve our SNMP trap translation recently and thus far I've managed to make the situation both much better and much worse, but I could probably make this go a whole lot faster with the advice of some one who's more familiar with SNMPTT. My last hurdle is ALL of my traps are currently displaying like this:

APC UPS: Communication lost: Communication lost between the agent and the UPS. / mtrapargsString.0 (OCTETSTR):UPS: Lost the local network management interface-to-UPS communication.

Rather than the values I'm seeing the short names, this is one of the easier to understand ones... some are just long strings of shortnames. Below are the relevant configs as they stand now:

/etc/snmp/snmptrapd.conf

Code: Select all

disableAuthorization yes
traphandle default /usr/local/sbin/snmptt

/etc/init.d/snmptrapd

Code: Select all

OPTIONS="-On -p /var/run/snmptrapd.pid -Lf /var/log/net-snmpd.log"
..
daemon --pidfile=$pidfile /usr/sbin/snmptrapd $OPTIONS

/etc/snmp/confs/APC.conf

Code: Select all

EVENT communicationLost .1.3.6.1.4.1.318.0.1 "Status Events" Critical
FORMAT APC UPS: Communication lost: Communication lost between the agent and the UPS.
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "APC UPS: Communication lost: Communication lost between the agent and the UPS."
SDESC
Critical: Communication to the UPS has been lost.  Steps
to reestablish communication are in progress.
Variables:
  1: mtrapargsString
EDESC

/etc/snmp/snmptt.ini

Code: Select all

net_snmp_perl_enable=1
net_snmp_perl_best_guess=2
translate_log_trap_oid=0
translate_value_oids=1
translate_enterprise_oid_format=1
translate_trap_oid_format=1
translate_varname_oid_format=1
translate_integers=1
mibs_environment = ALL
dynamic_nodes=0
description_mode=0
description_clean=1
exec_enable=1
pre_exec_enable=1
exec_escape=1

[jsmurphy]

Bump, where's Mr. nscott these days I hear he loves SNMP traps :p

[nscott]

Hey js,

I'm not sure if I'm understanding what you want properly, so excuse me if this is way off base, but if you want it to expand those variable names into their values you should just have to throw the $* on the end of your EXEC line:

Code: Select all

EVENT communicationLost .1.3.6.1.4.1.318.0.1 "Status Events" Critical
FORMAT APC UPS: Communication lost: Communication lost between the agent and the UPS.
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "APC UPS: Communication lost: Communication lost between the agent and the UPS: $*"
SDESC
Critical: Communication to the UPS has been lost.  Steps
to reestablish communication are in progress.
Variables:
  1: mtrapargsString
EDESC

[jsmurphy]

Sorry I didn't explain myself particularly well but yes that's exactly what I am trying to achieve, added $* to the end of the EXEC line and the message has changed from:

APC UPS: Communication lost: Communication lost between the agent and the UPS. / mtrapargsString.0 (OCTETSTR):UPS: Lost the local network management interface-to-UPS communication.

to:

APC UPS: Communication lost: Communication lost between the agent and the UPS. UPS: Lost the local network management interface-to-UPS communication. / mtrapargsString.0 (OCTETSTR):UPS: Lost the local network management interface-to-UPS communication.

So it's different but unfortunately no dice, for the sake of a wider data sample here is a more extreme example of the same behaviour from a test I setup from VMware vCenter:

Code: Select all

EVENT vpxdAlarm .1.3.6.1.4.1.6876.4.3.0.201 "Status Events" Critical
FORMAT This notification is sent on entity alarm state change, by the vCenter Server SNMP agent. $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "This notification is sent on entity alarm state change, by the vCenter Server SNMP agent. $*"
SDESC
This notification is sent on entity alarm state change, by the vCenter Server SNMP agent.
This information is also available through the vSphere client, through the Alarms screen.
Variables:
  1: vmwVpxdTrapType
  2: vmwVpxdHostName
  3: vmwVpxdVMName
  4: vmwVpxdOldStatus
  5: vmwVpxdNewStatus
  6: vmwVpxdObjValue
EDESC

vmwVpxdTargetObj.0 / vmwVpxdTargetObjType.0 (INTEGER):other vmwVpxdOldStatus.0 (OCTETSTR):Green vmwVpxdNewStatus.0 (OCTETSTR):Red vmwVpxdObjValue.0 (OCTETSTR):alarm

[nscott]

And you want to see the values that were sent by the trap? Could you give me an example of what you want the output string to look like?

[jsmurphy]

I don't particularly need these prefix bits: " / mtrapargsString.0 (OCTETSTR):" I'm just interested in the value... they make it harder to read the actual message (and take up valuable XI character count in the event information)

So something like this I suppose would be ideal:

APC UPS: Communication lost: Communication lost between the agent and the UPS. UPS: Lost the local network management interface-to-UPS communication.

[nscott]

js,

I've been digging on this one and haven't found anything on it but I too am very curious how to get rid of these. I dispatched a question to the mailing list and will notify you of the conclusion, but I am stumped as to why $* is behaving the way it is.

[jsmurphy]

Cheers Nick appreciate it. I might go through my snmptt.ini backup file and double check what's changed, maybe I misread or misunderstood something I updated.