'UNKNOWN' Host within snmptt.log

kcarlson · Post by **kcarlson** » Thu Dec 10, 2020 9:55 am

Hello,

We recently updated our version of XI to v5.7.5 on our deployment which is running CentOS7. At the same time a yum update was performed. It appears that since than some, but not all, traps are showing up in snmptt.log with as an 'UNKNOWN' host. I am able to look through the log and find a trap that showed the correct host IP and was handled correctly. After the update was done the same trap will now show 'UNKNOWN' where the host IP once was. I have found at least 2 hosts that are doing this now.

When I check the Unconfigured Objects window within the web interface I show them also as 'UNKNOWN' but really my only option is to delete them. I have deleted the service checks these traps correspond to and rebuilt them but have not had any luck. I'm kind of lost on where I should begin to troubleshoot this.

I have attached a text file showing two samples from the same host. The first one shows the host IP immediately after the "Status Events". While the second one shows it as UNKNOWN. My upgrade was performed on 11/18.

Thanks!

ssax · Post by **ssax** » Fri Dec 11, 2020 1:58 pm

Please run this command as root/sudo and PM me the resulting /tmp/SNMPFILES.zip file so we can see how it's setup:

Code: Select all

zip -r /tmp/SNMPFILES.zip /etc/snmp

Have you tried restarting the trap stack?

Code: Select all

service snmptrapd restart
service snmptt restart

kcarlson · Post by **kcarlson** » Tue Dec 15, 2020 2:12 pm

Hello, I will PM you the zip file shortly. I have restarted the trap stack as I do not believe I had done that previously.

Thanks

ssax · Post by **ssax** » Wed Dec 16, 2020 4:11 pm

Did restarting it resolve the issue?

The trap definition looks proper, I'm wondering if trap came in without it (which would be an issue on the remote system that is sending) for some reason.

You could try changing the Traps definition for it to use another value where it uses "$r" (see below in bold) which refers to the hostname, I would try $aR which refers to the IP:

EVENT tfAlarmCritical .1.3.6.1.4.1.24961.2.103.2.0.5 "Status Events" CRITICAL
FORMAT Critical alarms are sent for service affecting $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "Critical alarms are sent for service affecting $*"

You have these options:

Code: Select all

$A - Trap agent host name (see Note 1 in the link below)
$aA - Trap agent IP address
$R, $r  - Trap hostname (see Note 1 in the link below)
$aR, $ar - IP address

I would try changing it to:

EXEC /usr/local/bin/snmptraphandling.py "$aR" "SNMP Traps" "$s" "$@" "$-*" "Critical alarms are sent for service affecting $*"

Then restart snmptt:

Code: Select all

service snmptt restart

See if that resolves it for you.

Taken from here:

http://snmptt.sourceforge.net/docs/snmp ... ONF-FORMAT

Let us know the results.

kcarlson · Post by **kcarlson** » Thu Dec 17, 2020 9:05 am

Restarting did not resolve the issue. I will try the next suggestion and report back.

Thank You!

ssax · Post by **ssax** » Thu Dec 17, 2020 6:25 pm

Sounds good, we'll keep an eye out for your update.

kcarlson · Post by **kcarlson** » Mon Jan 04, 2021 9:09 am

Hello, I have changed the trap definition and restarted snmptt. Unfortunately It did not resolve my issue. I have uploaded an attachment(0103Trap) showing the most recent trap.

Thank!

ssax · Post by **ssax** » Mon Jan 04, 2021 6:29 pm

The output you attached, where specifically did you get that from?

Please run this command as root and send me the resulting /tmp/SNMPFILES.zip file:

Code: Select all

zip -r /tmp/SNMPFILES.zip /etc/snmp

kcarlson · Post by **kcarlson** » Tue Jan 05, 2021 9:42 am

The output I attached was taken from snmptt.log

I have sent a PM with the zip file.

Thank you for your help.

ssax · Post by **ssax** » Tue Jan 05, 2021 6:39 pm

Please edit your /etc/snmp/snmptt.conf and change this:

Code: Select all

EVENT tfAlarmCritical .1.3.6.1.4.1.24961.2.103.2.0.5 "Status Events" CRITICAL
FORMAT Critical alarms are sent for service affecting $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "Critical alarms are sent for service affecting $*"
SDESC
Critical alarms are sent for service affecting
problems that require immediate corrective action.
Variables:
  1: tfAlarmType
  2: tfAlarmDevice
  3: tfAlarmObject
  4: tfAlarmObjectOID
  5: tfAlarmObjectStr
  6: tfAlarmSpecificProblem
  7: tfAlarmEventType
  8: tfAlarmProbableCause
  9: tfAlarmTime
  10: tfAlarmText
EDESC

To this:

Code: Select all

EVENT tfAlarmCritical .1.3.6.1.4.1.24961.2.103.2.0.5 "Status Events" CRITICAL
FORMAT Critical alarms are sent for service affecting $*
EXEC /usr/local/bin/snmptraphandling.py "$aR" "SNMP Traps" "$s" "$@" "$-*" "Critical alarms are sent for service affecting $*"
SDESC
Critical alarms are sent for service affecting
problems that require immediate corrective action.
Variables:
  1: tfAlarmType
  2: tfAlarmDevice
  3: tfAlarmObject
  4: tfAlarmObjectOID
  5: tfAlarmObjectStr
  6: tfAlarmSpecificProblem
  7: tfAlarmEventType
  8: tfAlarmProbableCause
  9: tfAlarmTime
  10: tfAlarmText
EDESC

Then restart SNMPTT:

Code: Select all

service snmptt restart

Then resend the trap and validate.

Nagios Support Forum

'UNKNOWN' Host within snmptt.log

'UNKNOWN' Host within snmptt.log

Re: 'UNKNOWN' Host within snmptt.log

Re: 'UNKNOWN' Host within snmptt.log

Re: 'UNKNOWN' Host within snmptt.log

Re: 'UNKNOWN' Host within snmptt.log

Re: 'UNKNOWN' Host within snmptt.log

Re: 'UNKNOWN' Host within snmptt.log

Re: 'UNKNOWN' Host within snmptt.log

Re: 'UNKNOWN' Host within snmptt.log

Re: 'UNKNOWN' Host within snmptt.log