SNMP Trap notification question

[derekb]

Hi there,
I have a host setup with an SNMP Trap service. I have a question on how the alerts work. I know that I can edit the snmptt files to configure what is determined as Critical, Warning, etc.

For example, I rebooted the device that I am capture SNMP Traps for, and it shows up as follows in XI:

SNMP TrapsPassive Only Check Ok 19h 11m 32s 1/1 2015-09-23 15:31:55 Device reinitialized (coldStart)

Does this service ALWAYS show the last state received on the trap? So for example, if I had set the 'coldStart' as Critial, would the SNMP Trap service always show Critical until another event occurred?

Hopefully this makes sense.

Also, how would you handle listening for SNMP traps from multiple devices behind the same WAN? I was thinking of dropping in a small device such as a RaspberryPi configured with NRDS and have the Pi capture the traps, and send the results back to XI. Not sure if there's another way to do this without adding extra equipment at the remote site.

[derekb]

OK -- I figured out the first part. I didn't have Active Checks enabled on the SNMP Trap service. So if a Critical trap came through, it would never 'restore' back to normal.

For the second part, I'm still curious how to handle receiving traps from multiple devices that are behind the same WAN/NAT

[ssax]

There isn't any other way I can think of that doesn't involve extra equipment at the remote site. If you added hardware there you could have snmptrapd call a script that you could append the original hostname in a var on it and for the XI server to look at?

[derekb]

There isn't any other way I can think of that doesn't involve extra equipment at the remote site. If you added hardware there you could have snmptrapd call a script that you could append the original hostname in a var on it and for the XI server to look at?

That's what I was sort of thinking. I typically have a RaspberryPi at all sites running Hamachi for remote access, and running either NRDS or NRPE. When we receive traps, it'll show up from the WAN IP of the internet connection the device is behind. Is there a way I can get snmptrapd or snmptt to send the hostname I have configured in XI? This way adding the traps and services via Unconfigured Objects would be super easy.

[ssax]

I don't think you can unless it's resolvable in DNS (and exactly the same as the one in XI).

[derekb]

Anyone have any other ideas here?
Essentially I have anywhere from 1-200 IP Cameras deployed, and I want to receive traps from all of them, and send them to XI.

I can get the traps to send to my Linux device onsite just fine, and also get them to send to XI, but when I go to Unconfigured Objects it shows up as a new host as the WAN IP of the customers internet connection. I'm trying to find a way that the SNMP Traps would come into XI, and be able to associate those traps with my existing XI Host. I'm using passive checks via NRDS.

Is there anything I can add to the NRDS script to allow SNMP Traps for that host?

[gormank]

Take a look at the raw traps in syslog, and the EXEC lines in snmptt.conf. You may be able to modify snmptt.conf to change the variable in the EXEC lines. From a suggestion in another thread: "...instead of using "$r" in the EXEC lines, use "$aA" instead."

[derekb]

Also, another struggle I'm having:

Device sends SNMP trap to Linux device on-site. Device receives the trap as follows, taken from /var/log/syslog:

Code: Select all

Nov 17 18:37:48 raspberrypi snmptrapd[4637]: 2015-11-17 18:37:48 NASF389F8.local [192.168.1.161] (via UDP: [192.168.1.161]:35760->[192.168.1.139]) TRAP, SNMP v1, community public#012#011iso.3.6.1.4.1.24681.1.10 Enterprise Specific Trap (1) Uptime: 5 days, 0:09:26.19#012#011iso.3.6.1.4.1.24681.1.1.101.0 = STRING: "[Pool 1] Successfully set threshold to 50%."
Nov 17 18:37:48 raspberrypi snmptrapd[4637]: 2015-11-17 18:37:48 NASF389F8.local [192.168.1.161] (via UDP: [192.168.1.161]:42222->[192.168.1.139]) TRAP, SNMP v1, community public#012#011iso.3.6.1.4.1.24681.1.10 Enterprise Specific Trap (2) Uptime: 5 days, 0:09:26.59#012#011iso.3.6.1.4.1.24681.1.1.102.0 = STRING: "[Pool 1] Storage pool used size has hit its threshold (50%). Free size is 0 Byte. Low storage space may affect the performance of accessing files, please expand the capacity of the storage pool as soon as possible."

Trap gets sent over to XI server in my data centre. The trap is seen in /var/log/snmptt/snmptt.log as follows:

Code: Select all

Tue Nov 17 13:37:48 2015 enterprises.24681.1.10.0.1 Warning "Status Events" 192.168.1.161 - Info: [Pool 1] Successfully set threshold to 50%.
Tue Nov 17 13:37:48 2015 enterprises.24681.1.10.0.2 Warning "Status Events" 192.168.1.161 - [Pool 1] Storage pool used size has hit its threshold (50%). Free size is 0 Byte. Low storage space may affect the performance of accessing files, please expand the capacity of the storage pool as soon as possible.

This is great! It even shows the local IP address of the device at the customer site that sent the trap, bravo!

When I check Admin > Unconfigured Objects, I see a new host is sending traps from IP: AAA-BBB-CCC-DDD. Fine, I add it as a host and it sets up the SNMP Trap service etc, excellent.

When I go to check that SNMP Trap service in the XI Interface, it shows as follows:

Capture.JPG

As you can see, that local IP isn't displayed. That's a big one for me, as if I have multiple devices sending traps from the same customer site, how am I to determine which device it actually came from?

I hope this helps explain my dilemma and what I'm actually trying to accomplish more clearly.

[tgriep]

What gormank said should get you what you need.
You would have to edit the EXEC line in the snmptt.conf file and add $aA to it.
Take a look at this link that describes the format of the options in the snmptt.conf.
http://snmptt.sourceforge.net/docs/snmp ... ile-format

[derekb]

What gormank said should get you what you need.
You would have to edit the EXEC line in the snmptt.conf file and add $aA to it.
Take a look at this link that describes the format of the options in the snmptt.conf.
http://snmptt.sourceforge.net/docs/snmp ... ile-format

I did that earlier. All that does is show me the IP address of the device sending the trap, and it shows up as an unconfigured object for each device sending the trap.

For my example, the device is 192.168.1.161. Fine, I can accept the unconfigured object and add it per normal. But what happens if another customer has a device with the same IP address? I won't be able to add that device since there will be a duplicate.

Or am I looking at this the wrong way here?