Monitoring Traps

[snapon_admin]

Is there a different guide for setting up trap monitoring, or am I just doing something wrong here? I'm trying to setup trap monitoring to work, and I keep running into various snags. Here's what I've got.

I followed this guide: http://assets.nagios.com/downloads/nagi ... ith_XI.pdf

snmptt is running:

Code: Select all

[root@lisl-ngos-01-pv snmptt]# service snmptt status
snmptt (pid  32424) is running...
You have new mail in /var/spool/mail/root
[root@lisl-ngos-01-pv snmptt]#
[root@lisl-ngos-01-pv snmptt]# service snmptrapd status
snmptrapd (pid 2038) is running...
[root@lisl-ngos-01-pv snmptt]#

snmptt version:

Code: Select all

[root@lisl-ngos-01-pv snmptt]# rpm -qa | grep snmp
snmptt-1.3-3.nagios.noarch
net-snmp-5.5-44.el6_4.4.x86_64
net-snmp-devel-5.5-44.el6_4.4.x86_64
php-snmp-5.3.3-22.el6.x86_64
net-snmp-libs-5.5-44.el6_4.4.x86_64
net-snmp-utils-5.5-44.el6_4.4.x86_64
net-snmp-perl-5.5-44.el6_4.4.x86_64
[root@lisl-ngos-01-pv snmptt]#

Log directory:

Code: Select all

[root@lisl-ngos-01-pv snmptt]# ls /var/log/snmptt
snmpttsystem.log
[root@lisl-ngos-01-pv snmptt]#

Log:

Code: Select all

[root@lisl-ngos-01-pv snmptt]# cat snmpttsystem.log
Tue Oct 29 14:21:56 2013 SNMPTT v1.3 started
Tue Oct 29 14:21:56 2013 Loading /etc/snmp/snmptt.conf
Tue Oct 29 14:21:56 2013 Finished loading 1149 lines from /etc/snmp/snmptt.conf
Tue Oct 29 14:21:56 2013 Could not convert user id 'snmptt' to a numeric UID

Tue Oct 29 16:03:36 2013 SNMPTT v1.3 shutdown
Tue Oct 29 16:03:36 2013 Total traps received=0,Total traps translated=0,Total traps ignored=0,Total unknown traps=0
Tue Oct 29 16:03:40 2013 SNMPTT v1.3 started
Tue Oct 29 16:03:40 2013 Loading /etc/snmp/snmptt.conf
Tue Oct 29 16:03:40 2013 Finished loading 1333 lines from /etc/snmp/snmptt.conf
Tue Oct 29 16:03:41 2013 Changing to UID: snmptt (497)
You have new mail in /var/spool/mail/root
[root@lisl-ngos-01-pv snmptt]#

I don't think there's any confidential info in the snmptt.conf file, but I haven't scanned it through all the way to check yet. The MIBs I need for the traps I'm trying to monitor have been loaded using the web GUI, and addmib. Currently, we're trying to test this using a Bluecoat that can send test traps. From Bluecoat's documentation on that particular product:

To perform a test trap, click Perform test trap, enter the trap data (string) to be sent, and click Execute Trap. This sends a policy notification, as defined in the BLUECOAT-SG-POLICY-MIB, to all configured trap and inform recipients, and it is intended as a communications test.

That MIB is in the conf file:

Code: Select all

MIB: BLUECOAT-SG-POLICY-MIB (file:./BLUECOAT-SG-POLICY-MIB.txt) converted on Tue Oct 29 14:38:44 2013 using snmpttconvertmib v1.3
#
#
#
EVENT devicePolicyTrap .1.3.6.1.4.1.3417.2.6.2.0.1 "Status Events" Normal
FORMAT A notification is generated when triggered by policy $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "A notification is generated when triggered by policy $*"
SDESC
A notification is generated when triggered by policy
Variables:
  1: devicePolicyMessage
EDESC

Just wondering what I'm doing wrong. Let me know if you need any additional info, and thanks!

[sreinhardt]

I would suggest looking at a couple of things.

Code: Select all

snmptt.ini
mode = ?
daemon_uid = ?

permissions on the spool directory:
ll -d /var/spool/snmptt/

groups that snmptt user is in:
grep -i 'snmp' /etc/group

permissions on the nagios.cmd file:
ll /usr/local/nagios/var/rw/nagios.cmd

Lets start with some results from there and move forward!

[snapon_admin]

Code: Select all

mode = standalone
daemon_uid = snmptt

Already see the issue here. I believe that's supposed to be daemon mode. Not sure why it's standalone. Long story, but I tried this install once before and snmptt service wouldn't start so I had to completely undo everything and start over from scratch. Went through that whole process with a ticket to XI support since I couldn't get snmptt to uninstall. In the end we got it out and the re-install went off without a hitch. I know this was daemon before the uninstall/re-install, so I assume that's what it's supposed to be?

permissions on the spool directory:

Code: Select all

[root@lisl-ngos-01-pv snmp]# ll -d /var/spool/snmptt/
drwxr-xr-x. 2 root root 4096 Nov  1  2012 /var/spool/snmptt/
[root@lisl-ngos-01-pv snmp]#

groups that snmptt user is in:
No output from

Code: Select all

grep -i 'snmp' /etc/group

Thanks!

permissions on the nagios.cmd file:

Code: Select all

[root@lisl-ngos-01-pv snmp]# ll /usr/local/nagios/var/rw/nagios.cmd
prw-rw----. 1 nagios nagcmd 0 Oct 30 13:22 /usr/local/nagios/var/rw/nagios.cmd
You have new mail in /var/spool/mail/root
[root@lisl-ngos-01-pv snmp]#

[sreinhardt]

You are correct on the daemon mode, also we need to switch users for the uid.

make the following changes and restart snmptt service.

Code: Select all

mode = daemon
daemon_uid = [Leave blank]

Leaving it blank will use the root account, less than ideal but until nick or I find how to alter the snmptrapd to work as snmptt there is no way to reap the spool directory without snmptt being root. See how that works for you, it should also give the traphandling.py proper permission to access nagios.cmd and submit results for you!

[snapon_admin]

K, made the changes and still no go. Tried the test trap again and no change in nagios or to the log file. SNMP traps is also allowed in iptables, fyi. We had that issue already but say the request being denied so iptables have already been adjusted for that, still nothing.

[sreinhardt]

Are you seeing that test trap or any other get logged into the /var/log/snmptt/snmptt.log or snmptt_unknown.log files? While we are at it, can you verify the snmptt daemon is actually running as root

Code: Select all

 ps -ef | grep -i snmp

[snapon_admin]

Code: Select all

[root@lisl-ngos-01-pv snmptt]# ps -ef | grep -i snmp
root      2038     1  0 Oct25 ?        00:00:53 snmptrapd -On
root      9274  2686  0 14:48 pts/0    00:00:00 grep -i snmp
root     15757     1  0 14:07 ?        00:00:00 /usr/bin/perl /usr/local/sbin/snmptt --daemon
[root@lisl-ngos-01-pv snmptt]#

And no, no traps logged in snmptt.log, and snmptt_unknown.log doesn't exist.

Code: Select all

[root@lisl-ngos-01-pv snmptt]# ls /var/log/snmptt
snmpttsystem.log

[root@lisl-ngos-01-pv snmptt]# cat snmpttsystem.log
Tue Oct 29 14:21:56 2013 SNMPTT v1.3 started
Tue Oct 29 14:21:56 2013 Loading /etc/snmp/snmptt.conf
Tue Oct 29 14:21:56 2013 Finished loading 1149 lines from /etc/snmp/snmptt.conf
Tue Oct 29 14:21:56 2013 Could not convert user id 'snmptt' to a numeric UID

Tue Oct 29 16:03:36 2013 SNMPTT v1.3 shutdown
Tue Oct 29 16:03:36 2013 Total traps received=0,Total traps translated=0,Total traps ignored=0,Total unknown traps=0
Tue Oct 29 16:03:40 2013 SNMPTT v1.3 started
Tue Oct 29 16:03:40 2013 Loading /etc/snmp/snmptt.conf
Tue Oct 29 16:03:40 2013 Finished loading 1333 lines from /etc/snmp/snmptt.conf
Tue Oct 29 16:03:41 2013 Changing to UID: snmptt (497)
Wed Oct 30 14:07:53 2013 SNMPTT v1.3 started
Wed Oct 30 14:07:53 2013 Loading /etc/snmp/snmptt.conf
Wed Oct 30 14:07:53 2013 Finished loading 1333 lines from /etc/snmp/snmptt.conf
[root@lisl-ngos-01-pv snmptt]#

[sreinhardt]

Well, if you're not getting anything in snmptt.log not snmptt_system.log(this is just a startup log). snmptt is either not set to log to files, or not reaping traps. Let's see how many files are in there.

Code: Select all

ll /var/spool/snmptt/ | wc -l

[snapon_admin]

See, I thought that was just a startup log, but wasn't sure. Ok, so how do I go about enabling logging? As for your question:

Code: Select all

[root@lisl-ngos-01-pv snmptt]# ll /var/spool/snmptt/ | wc -l
1

[slansing]

This 'should' be covered under the logging section in this documentation:

http://snmptt.sourceforge.net/docs/snmp ... ngEventLog

Hope that helps!