Help with SNMP traps?

[jbennett]

In checking logs, I found the following:

Code: Select all

Wed Apr  3 11:07:16 2013 SNMPTT v1.3 shutdown
Wed Apr  3 11:07:17 2013 Total traps received=690,Total traps translated=658,Total traps ignored=0,Total unknown traps=32
Wed Apr  3 11:13:34 2013 SNMPTT v1.3 started
Wed Apr  3 11:13:35 2013 Loading /etc/snmp/snmptt.conf
Wed Apr  3 11:13:35 2013 Finished loading 1415 lines from /etc/snmp/snmptt.conf
Wed Apr  3 11:13:35 2013 Could not convert user id 'snmptt' to a numeric UID

When I check the /etc/passwd file, it is apparent that there is no SNMPTT user present.

Searching online, this appears to have been a bug from SNMPTT 1.2 but was corrected in 1.2-4. As above, I'm running 1.3.

Would this be causing some problems?

[scottwilkerson]

Would this be causing some problems?

Not likely, you are receiving traps

Code: Select all

Total traps received=690,Total traps translated=658,Total traps ignored=0,Total unknown traps=32

And these should also be showing up in /var/log/snmptt.log or the unknowns to /var/log/snmptt/snmpttunknown.log

[jbennett]

From my /etc/snmp/snmptrapd.conf file it appears that snmptt is running as a daemon.

Code: Select all

disableAuthorization yes
traphandle default /usr/local/sbin/snmptthandler

Code: Select all

# service snmptt status
snmptt (pid 2541 2540) is running...

When I check the /var/log/snmptt/snmptt.log file, I see the following:

Code: Select all

Tue Apr  9 07:49:55 2013 .1.3.6.1.6.3.1.1.5.5 Warning "Status Events" nagiosserver - An authenticationFailure trap signifies that the SNMP
Tue Apr  9 07:49:55 2013 .1.3.6.1.6.3.1.1.5.5 Warning "Status Events" localhost - An authenticationFailure trap signifies that the SNMP

This makes it appear as if the box can't communicate with its self. When I check the snmpd.conf file, I see the following. Do I need to adjust something here? Should I try 127.0.0.1 instead of localhost? Is there somewhere that I should set the community name that the BOX uses for snmp (assuming that snmpd.conf is setting the community name that the snmpd service is looking for)?

Code: Select all

# SECTION: Access Control Setup
#
#   This section defines who is allowed to talk to your running
#   snmp agent.

# rwuser: a SNMPv3 read-write user
#   arguments:  user [noauth|auth|priv] [restriction_oid]

rwuser  roadway auth

# rouser: a SNMPv3 read-only user
#   arguments:  user [noauth|auth|priv] [restriction_oid]

rouser  roadway auth .1.3.6.1.4.1.8072

# rocommunity: a SNMPv1/SNMPv2c read-only access community name
#   arguments:  community [default|hostname|network/bits] [oid]

rocommunity  roadway  .1.3.6.1.2.1.1

# rwcommunity: a SNMPv1/SNMPv2c read-write access community name
#   arguments:  community [default|hostname|network/bits] [oid]

rwcommunity  roadway



###########################################################################
# SECTION: Trap Destinations
#
#   Here we define who the agent will send traps to.

# trapsink: A SNMPv1 trap receiver
#   arguments: host [community] [portnum]

trapsink  localhost roadway 162

# trap2sink: A SNMPv2c trap receiver
#   arguments: host [community] [portnum]

trap2sink  localhost roadway 162

# informsink: A SNMPv2c inform (acknowledged trap) receiver
#   arguments: host [community] [portnum]

informsink  localhost roadway 162

# trapcommunity: Default trap sink community to use
#   arguments: community-string

trapcommunity  roadway

# authtrapenable: Should we send traps when authentication failures occur
#   arguments: 1 | 2   (1 = yes, 2 = no)

authtrapenable  1

[abrist]

SNMP "authenticationFailure" traps mean that something is trying to access your device via SNMP and using the wrong community string. Double check your community strings.

[jbennett]

SNMP "authenticationFailure" traps mean that something is trying to access your device via SNMP and using the wrong community string. Double check your community strings.

That's what I'm trying to do. Where is this set on the localhost? If I have set the community string in the snmpd.conf file already, is there somewhere else that I've missed for the localhost?

[abrist]

Tue Apr 9 07:49:55 2013 .1.3.6.1.6.3.1.1.5.5 Warning "Status Events" nagiosserver - An authenticationFailure trap signifies that the SNMP
Tue Apr 9 07:49:55 2013 .1.3.6.1.6.3.1.1.5.5 Warning "Status Events" localhost - An authenticationFailure trap signifies that the SNMP

Are all of the current errors specific to the oid .1.3.6.1.6.3.1.1.5. ?
I ask because you receiving a large number of traps - 600+, so maybe it is a problem with just that oid/device?

[jbennett]

Yes, as far back as I can check I have the same OID.

As far back as I can check, I have the exact same messages:

Code: Select all

Tue Apr 9 07:49:55 2013 .1.3.6.1.6.3.1.1.5.5 Warning "Status Events" nagiosserver - An authenticationFailure trap signifies that the SNMP
Tue Apr 9 07:49:55 2013 .1.3.6.1.6.3.1.1.5.5 Warning "Status Events" localhost - An authenticationFailure trap signifies that the SNMP

This is why I'm wondering if it's a setting on the localhost that's not allowing SNMP to communicate to its self. Is the community name supposed to be set somewhere else OTHER than just in the snmpd.conf file?

My understanding is that the snmpd.conf file is telling the system what it should be looking for when a SNMP request comes in, it tries to match it up and goes from there. On my other devices, I set the community string, etc. in order to allow them to communicate with my nagios server.

What if I want my nagios server to communicate with its self via SNMP? Where do I set THAT community string? Or, is that already set in snmpd.conf?

[abrist]

You should have a community string at least once set in there. You may have to change it. For snmp v1:

Code: Select all

## public- and private-community string (for SNMP V1):
## default is “public” and “private”
public:       newpublic
private:      newprivate

You should have a trap community directive as well, you may want to make sure that is set to the right community:

Code: Select all

trap sink:       tcp_ip
trap community:  public
authentraps:     no

I assume you are checking more than 1 oid, correct? Are the other oid/ traps you setup appearing in unconfigured objects, the CCM or in the nagios service/host details?

[jbennett]

From my previous post, this is my snmpd.conf file. Are you saying that it shouldn't be in here? That it should be somewhere else? I'm confused since I posted this yesterday and it seems that you're essentailly telling me to do what I already posted. If this is not correct, please clarify where I need to make sure the community string is located. Your formatting is different from how this file is configured it seems.

There are absolutely NO items showing up in Unconfigured objects. It's not that the wrong items are showing up, or something I'm not expecting is showing up, it's that there are absolutely ZERO objects showing up in unconfigured objects.

Is there somewhere that I should set the community name that the BOX uses for snmp (assuming that snmpd.conf is setting the community name that the snmpd service is looking for)?

Code: Select all

# SECTION: Access Control Setup
#
#   This section defines who is allowed to talk to your running
#   snmp agent.

# rwuser: a SNMPv3 read-write user
#   arguments:  user [noauth|auth|priv] [restriction_oid]

rwuser  roadway auth

# rouser: a SNMPv3 read-only user
#   arguments:  user [noauth|auth|priv] [restriction_oid]

rouser  roadway auth .1.3.6.1.4.1.8072

# rocommunity: a SNMPv1/SNMPv2c read-only access community name
#   arguments:  community [default|hostname|network/bits] [oid]

rocommunity  roadway  .1.3.6.1.2.1.1

# rwcommunity: a SNMPv1/SNMPv2c read-write access community name
#   arguments:  community [default|hostname|network/bits] [oid]

rwcommunity  roadway



###########################################################################
# SECTION: Trap Destinations
#
#   Here we define who the agent will send traps to.

# trapsink: A SNMPv1 trap receiver
#   arguments: host [community] [portnum]

trapsink  localhost roadway 162

# trap2sink: A SNMPv2c trap receiver
#   arguments: host [community] [portnum]

trap2sink  localhost roadway 162

# informsink: A SNMPv2c inform (acknowledged trap) receiver
#   arguments: host [community] [portnum]

informsink  localhost roadway 162

# trapcommunity: Default trap sink community to use
#   arguments: community-string

trapcommunity  roadway

# authtrapenable: Should we send traps when authentication failures occur
#   arguments: 1 | 2   (1 = yes, 2 = no)

authtrapenable  1

[nscott]

jbennett,

Those traps that are being generated, those 600 some traps are from improper auth as indicated. They are (or were) being generated by your own SNMP server due to the fact that you have authtrapenable specified in your snmpd.conf file. So there was some source that was sending traps with a bad community string.

It did however say that it had found unknown traps as well, which may very well be what is happening to your traps. Does the /var/log/snmptt/snmpttunknown.log file exist? I see you and Scott had spoken about it before, but that was never specified whether or not that file existed and when its last modification date was. Can you see if it exists, when was it created? Then what exists inside of it? If the OIDs that are getting relegated to the unknown log are the traps you want to have Nagios use, we'll have to add those to an snmptt.conf file.