SNMP Trap Monitoring in Nagios XI

[emartine]

Thanks for that.

OK. I was just told this is now high priority so I need to focus on getting this working.

After making the trap modifications I started seeing received traps as critical. I the went ahead and processed the unconfigured objects
and I noticed that I am getting:

==> /var/log/snmptt/snmptt.log <==
Wed Sep 23 09:36:38 2020 .1.3.6.1.6.3.1.1.5.5 Normal "Status Events" <Server IP> - SNMP athentication failure
Wed Sep 23 09:36:39 2020 .1.3.6.1.6.3.1.1.5.5 Normal "Status Events" <Server IP> - SNMP athentication failure
Wed Sep 23 09:36:41 2020 .1.3.6.1.6.3.1.1.5.5 Normal "Status Events" <Server IP> - SNMP athentication failure

Wed Sep 23 09:38:38 2020 .1.3.6.1.6.3.1.1.5.5 Normal "Status Events" <Server IP> - SNMP athentication failure
Wed Sep 23 09:38:39 2020 .1.3.6.1.6.3.1.1.5.5 Normal "Status Events" <Server IP> - SNMP athentication failure
Wed Sep 23 09:38:41 2020 .1.3.6.1.6.3.1.1.5.5 Normal "Status Events" <Server IP> - SNMP athentication failure

Wed Sep 23 09:40:38 2020 .1.3.6.1.6.3.1.1.5.5 Normal "Status Events" <Server IP> - SNMP athentication failure
Wed Sep 23 09:40:39 2020 .1.3.6.1.6.3.1.1.5.5 Normal "Status Events" <Server IP> - SNMP athentication failure
Wed Sep 23 09:40:41 2020 .1.3.6.1.6.3.1.1.5.5 Normal "Status Events" <Server IP> - SNMP athentication failure

I don't have anything from Nagios that is actively checking snmp at 2 minutes intervals with 3 checks.

Screenshots of the SNMP check is attached. Does this seem right to you?

[emartine]

Seems like it defined a different trap and the actual critical is now showing up in the unknown trap log as show below.


Wed Sep 23 14:33:51 2020: Unknown trap (.1.3.6.1.4.1.4184.2.0.2) received from <Server IP> at:
Value 0: <Server IP>
Value 1: <Server IP>
Value 2: 2:3:51:48.71
Value 3: .1.3.6.1.4.1.4184.2.0.2
Value 4: <Server IP>
Value 5: openlink
Value 6: .1.3.6.1.4.1.4184.2
Value 7:
Value 8:
Value 9:
Value 10:
Ent Value 0: .1.3.6.1.4.1.4184.2.1.2.1.2.23.67.101.114.110.101.114.95.79.80.69.78.76.105.110.107.95.50.52.46.49.45.48.53=Cerner OPENLink 24.1-05
Ent Value 1: .1.3.6.1.4.1.4184.2.1.2.1.5.23.67.101.114.110.101.114.95.79.80.69.78.76.105.110.107.95.50.52.46.49.45.48.53=1
Ent Value 2: .1.3.6.1.4.1.4184.2.2.2.1.1.13.73.67.79.84.50.52.49.53.72.48.65.72.70=ICOT2415H0AHF
Ent Value 3: .1.3.6.1.4.1.4184.2.3.2.1.1.13.73.67.79.84.50.52.49.53.72.48.65.72.70.11.80.82.69.67.89.83.69.95.51.77.50=PRECYSE_3M2
Ent Value 4: .1.3.6.1.4.1.4184.2.5.1.0=IN13
Ent Value 5: .1.3.6.1.4.1.4184.2.5.2.0=4
Ent Value 6: .1.3.6.1.4.1.4184.2.5.3.0=DOWN, Interface is not operational- ERROR status for Connection.
Ent Value 7: .1.3.6.1.4.1.4184.2.5.4.0=2020-09-23 14:33:51
Ent Value 8: .1.3.6.1.4.1.4184.2.5.8.0=0
Ent Value 9: .1.3.6.1.4.1.4184.2.5.9.0=0



I am attaching a screenshot... Is this the correct way to define this? .

[tgriep]

The entries in the /var/log/snmptt/snmptt.log file are not coming from the nagios process.
They are the traps that the <Server IP> is sending to the nagios server so they are coming from that device.

The SNMP Traps service check is a passive check and typically the Check interval, and the max check attempts are set to a 1 so I would put those back.
Go to the Alert Settings menu and check the Notification Options you want to receive emails for and set the notification interval to zero so the service will only send one email notification.

Your second post.

In the trap definition, you need to put in a unique entry in the Event Name field so fix that and the trap may be received and show up in the unconfigured objects menu.
The name should be the following.

Code: Select all

oplGenericV2Trap

The match should be the following as there is not an 18th variable.

Code: Select all

MATCH $6: > 1

[emartine]

The entries in the /var/log/snmptt/snmptt.log file are not coming from the nagios process.
They are the traps that the <Server IP> is sending to the nagios server so they are coming from that device.

Ok I will ignore these.

The SNMP Traps service check is a passive check and typically the Check interval, and the max check attempts are set to a 1 so I would put those back.
Go to the Alert Settings menu and check the Notification Options you want to receive emails for and set the notification interval to zero so the service will only send one email notification.

Done.

Your second post.

In the trap definition, you need to put in a unique entry in the Event Name field so fix that and the trap may be received and show up in the unconfigured objects menu.


The name should be the following.

Code: Select all
oplGenericV2Trap



The match should be the following as there is not an 18th variable.

Code: Select all
MATCH $6: > 1

[/quote]

I set it to $6:4 So that it matches this error exactly for my critical:


Wed Sep 23 14:18:51 2020: Unknown trap (.1.3.6.1.4.1.4184.2.0.2) received from <SERVER IP> at:
Value 0: <SERVER IP>
Value 1: <SERVER IP>
Value 2: 2:3:36:48.68
Value 3: .1.3.6.1.4.1.4184.2.0.2
Value 4: <SERVER IP>
Value 5: openlink
Value 6: .1.3.6.1.4.1.4184.2
Value 7:
Value 8:
Value 9:
Value 10:
Ent Value 0: .1.3.6.1.4.1.4184.2.1.2.1.2.23.67.101.114.110.101.114.95.79.80.69.78.76.105.110.107.95.50.52.46.49.45.48.53=Cerner OPENLink 24.1-05
Ent Value 1: .1.3.6.1.4.1.4184.2.1.2.1.5.23.67.101.114.110.101.114.95.79.80.69.78.76.105.110.107.95.50.52.46.49.45.48.53=1
Ent Value 2: .1.3.6.1.4.1.4184.2.2.2.1.1.13.73.67.79.84.50.52.49.53.72.48.65.72.70=ICOT2415H0AHF
Ent Value 3: .1.3.6.1.4.1.4184.2.3.2.1.1.13.73.67.79.84.50.52.49.53.72.48.65.72.70.11.80.82.69.67.89.83.69.95.51.77.50=PRECYSE_3M2
Ent Value 4: .1.3.6.1.4.1.4184.2.5.1.0=IN13
Ent Value 5: .1.3.6.1.4.1.4184.2.5.2.0=4
Ent Value 6: .1.3.6.1.4.1.4184.2.5.3.0=DOWN, Interface is not operational- ERROR status for Connection.
Ent Value 7: .1.3.6.1.4.1.4184.2.5.4.0=2020-09-23 14:18:51
Ent Value 8: .1.3.6.1.4.1.4184.2.5.8.0=0
Ent Value 9: .1.3.6.1.4.1.4184.2.5.9.0=0


I'm attaching a screenshot of the defined traps so far. You said I needed to also define the OK state. Would a $6:1 be an ok state? Does the Event Name field matter for this since I can't define a trap with the same name?

You said I had to define both the normal and the critical states? is that correct?

[emartine]

Also sending you files via PM since they contain IP addresses.

[emartine]

I received these two items this morning. Apparently a 1 is a Critical and Normal status event? I'm not sure how to interpret these.


Thu Sep 24 08:20:57 2020 .1.3.6.1.4.1.4184.2.0.2 Critical "Fatal" <server IP> - Received trap "oplGenericV2Trap" with variables"
enterprises.4184.2.1.2.1.2.23.67.101.114.110.101.114.95.79.80.69.78.76.105.110.107.95.50.52.46.49.45.48.53:Cerner OPENLink 24.1-05
enterprises.4184.2.1.2.1.5.23.67.101.114.110.101.114.95.79.80.69.78.76.105.110.107.95.50.52.46.49.45.48.53:1
enterprises.4184.2.2.2.1.1.13.73.67.79.84.50.52.49.53.72.48.65.72.70:ICOT2415H0AHF
enterprises.4184.2.5.1.0:EN92
enterprises.4184.2.5.2.0:1
enterprises.4184.2.5.3.0:RELOAD - Alert process reload by user request.
enterprises.4184.2.5.4.0:2020-09-24 08:20:57
enterprises.4184.2.5.8.0:0
enterprises.4184.2.5.9.0:0"


Thu Sep 24 08:20:57 2020 .1.3.6.1.4.1.4184.2.0.2 Normal "Status Events" <server IP> - Received trap "oplGenericV2Trap_Ok" with variables "
enterprises.4184.2.1.2.1.2.23.67.101.114.110.101.114.95.79.80.69.78.76.105.110.107.95.50.52.46.49.45.48.53:Cerner OPENLink 24.1-05
enterprises.4184.2.1.2.1.5.23.67.101.114.110.101.114.95.79.80.69.78.76.105.110.107.95.50.52.46.49.45.48.53:1
enterprises.4184.2.2.2.1.1.13.73.67.79.84.50.52.49.53.72.48.65.72.70:ICOT2415H0AHF
enterprises.4184.2.5.1.0:EN92
enterprises.4184.2.5.2.0:1
enterprises.4184.2.5.3.0:RELOAD - Alert process reload by user request.
enterprises.4184.2.5.4.0:2020-09-24 08:20:57
enterprises.4184.2.5.8.0:0
enterprises.4184.2.5.9.0:0"

They do show up in the received traps:


Timestamp Event Name OID Trap Origin IP Category Severity
2020-09-24 08:20:57 oplGenericV2Trap enterprises.4184.2.0.2 <server ip> Fatal Critical
2020-09-24 08:20:57 oplGenericV2Trap_Ok enterprises.4184.2.0.2 <server ip> Status Events Normal

Have I defined those appropriately?
I don't have any unconfigured objects however.

[emartine]

Something definitely seems to be off. It doesn't show the interface name. Is it possible to have it show the interface name that was critical? That would be Ent Value 3.

Ent Value 2: .1.3.6.1.4.1.4184.2.2.2.1.1.13.73.67.79.84.50.52.49.53.72.48.65.72.70=ICOT2415H0AHF
Ent Value 3: .1.3.6.1.4.1.4184.2.3.2.1.1.13.73.67.79.84.50.52.49.53.72.48.65.72.70.11.80.82.69.67.89.83.69.95.51.77.50=PRECYSE_3M2

[tgriep]

For the OK state, I would guess that the severity level for the reset would be a zero if the devices even clears the Trap so use the following for the match.

Code: Select all

MATCH $6:0

You need to add that to the Normal Status Events definition for the oplGenericV2Trap_Ok trap.
The info in the MIB file does not contain what is sent when the event is cleared but a zero is usually sent.


I would remove this trap definition as it mostly duplicates the other Critical trap.

Code: Select all

EVENT Openlink_Interface_Event .1.3.6.1.4.1.4184.2.0.2 "Interface_Not_Operational" Critical

Then edit the Critical trap

Code: Select all

oplGenericV2Trap .1.3.6.1.4.1.4184.2.0.2 "Fatal" Critical

Change this from

Code: Select all

"SNMP Trap Received at $@ with variables $+*"

to

Code: Select all

"The SMS OPENLink Alert process has issued an alert condition. The Interface is: $4"

[emartine]

Thank you! Finally making progress. Now I just need the app owner to trigger more traps.

[emartine]

The output of the critical trap seems to be "The" ?