Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

SOPHOS UTM 9.3 SNMP trap

https://support.nagios.com/forum/viewtopic.php?t=35367

Page 1 of 1

SOPHOS UTM 9.3 SNMP trap

Posted: Wed Oct 21, 2015 9:02 pm
by kelti
Hi All,

We have a SOPHOS UTM 9.3 that we would like to monitor using SNMP trap. SOPHOS is providing the ASTARO-MIB.txt
We have a Nagios XI 2014r2.7-64 virtual machine.

We have added and processed the MIB with success.
We are able to receive the traps but they are going to snmpttunknown.log traps.

Anyone with similar encounter? Thank you in advance for any advice.

Re: SOPHOS UTM 9.3 SNMP trap

Posted: Thu Oct 22, 2015 3:03 pm
by tgriep
Can you post your /etc/snmp/snmptt.conf file and the log entries that are showing up in the snmpttunknown.log file?
A quick thing to try is to restart the snmptt daemon. Try that to see if that resolves the issue.

Code: Select all

service snmptt restart

Re: SOPHOS UTM 9.3 SNMP trap

Posted: Thu Oct 22, 2015 8:36 pm
by kelti
Hi,

Thanks.

Code: Select all

Thu Oct 22 13:57:50 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:1:55:14.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.5=[utm][INFO][005]


Thu Oct 22 14:06:02 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:2:03:21.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.154=[utm][INFO][154]


Thu Oct 22 14:06:07 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:2:03:21.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.154=[utm][INFO][154]

Re: SOPHOS UTM 9.3 SNMP trap

Posted: Fri Oct 23, 2015 12:05 pm
by tgriep
Edit /etc/snmp/snmptt.conf and change this from

Code: Select all

EVENT INFO-005 .1.3.6.1.4.1.9789.1500.1.5 "Status Events" Critical
to

Code: Select all

EVENT INFO-005 .1.3.6.1.4.1.9789.1500 "Status Events" Critical
Save it out and restart snmptt

Code: Select all

service snmptt restart
For some reason, it looks like your device isn't sending the full OID. If it doesn't match, it will not get processed and it will go in to the unknown log.

Generate a TRAP and look in the Unconfigured Objects in XI and is should show up there to be configured.

Re: SOPHOS UTM 9.3 SNMP trap

Posted: Sun Oct 25, 2015 10:17 pm
by kelti
Hi,

I generated a failed web login but it does not show in the unconfigured objects. It went to snmpttunknown.log

This is what it shows up in my trap viewer. *attached jpg file

Code: Select all

Mon Oct 26 11:03:40 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:0:25:15.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.2.5=[utm][WARN][005]

Re: SOPHOS UTM 9.3 SNMP trap

Posted: Sun Oct 25, 2015 11:10 pm
by Box293
tgriep wrote:Edit /etc/snmp/snmptt.conf and change this from

Code: Select all

EVENT INFO-005 .1.3.6.1.4.1.9789.1500.1.5 "Status Events" Critical
to

Code: Select all

EVENT INFO-005 .1.3.6.1.4.1.9789.1500 "Status Events" Critical
Save it out and restart snmptt

Code: Select all

service snmptt restart
For some reason, it looks like your device isn't sending the full OID. If it doesn't match, it will not get processed and it will go in to the unknown log.

Generate a TRAP and look in the Unconfigured Objects in XI and is should show up there to be configured.
Try

Code: Select all

EVENT INFO-005 .1.3.6.1.4.1.9789.1500.* "Status Events" Critical
Save it out and restart snmptt

Code: Select all

service snmptt restart

Re: SOPHOS UTM 9.3 SNMP trap

Posted: Mon Oct 26, 2015 10:29 pm
by kelti
Hi,
I edited two OIDs and managed to see both of them surfaced at snmptt.log
I simulated a failed web login and Nagios did displayed the 'Failed WebAdmin' trap but not the 'System was restarted' trap after i restarted the utm.

Thanks.

Code: Select all

EVENT info-000 .1.3.6.1.4.1.9789.1500 "Status Events" Warning
FORMAT System was restarted $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "System was restarted $*"
SDESC
System was restarted
Variables:
EDESC
#
EVENT warn-005 .1.3.6.1.4.1.9789.1500 "Status Events" Critical
FORMAT Failed WebAdmin login $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "Failed WebAdmin login $*"
SDESC
Failed WebAdmin login
Variables:
EDESC

Code: Select all

Tue Oct 27 10:50:06 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][WARN][005]
Tue Oct 27 10:50:06 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][WARN][005]
Tue Oct 27 10:52:27 2015 .1.3.6.1.4.1.9789.1500 Warning "Status Events" 10.0.0.61 - System was restarted [utm][INFO][007]
Tue Oct 27 10:52:27 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][INFO][007]
Tue Oct 27 10:52:27 2015 .1.3.6.1.4.1.9789.1500 Warning "Status Events" 10.0.0.61 - System was restarted [utm][INFO][007]
Tue Oct 27 10:52:27 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][INFO][007]
Tue Oct 27 10:53:56 2015 .1.3.6.1.4.1.9789.1500 Warning "Status Events" 10.0.0.61 - System was restarted [utm][INFO][000]
Tue Oct 27 10:53:56 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][INFO][000]
Tue Oct 27 10:53:56 2015 .1.3.6.1.4.1.9789.1500 Warning "Status Events" 10.0.0.61 - System was restarted [utm][INFO][000]
Tue Oct 27 10:53:56 2015 .1.3.6.1.4.1.9789.1500 Critical "Status Events" 10.0.0.61 - Failed WebAdmin login [utm][INFO][000]

Re: SOPHOS UTM 9.3 SNMP trap

Posted: Tue Oct 27, 2015 12:56 am
by Box293
What is happening is that both events are being captured as they are both for the same OID:

Code: Select all

EVENT info-000 .1.3.6.1.4.1.9789.1500 "Status Events" Warning
EVENT warn-005 .1.3.6.1.4.1.9789.1500 "Status Events" Critical
Both are submitted to Nagios however the second one is overriding the first once, hence why you only see one in Nagios, the most recent one.

Your biggest problem is that you are receiving different traps on the same OID .1.3.6.1.4.1.9789.1500.
kelti wrote:

Code: Select all

Thu Oct 22 13:57:50 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:1:55:14.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.5=[utm][INFO][005]


Thu Oct 22 14:06:02 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:2:03:21.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.154=[utm][INFO][154]


Thu Oct 22 14:06:07 2015: Unknown trap (.1.3.6.1.4.1.9789.1500) received from 10.0.0.61 at: 
Value 0: 10.0.0.61
Value 1: 10.0.0.61
Value 2: 0:2:03:21.00
Value 3: .1.3.6.1.4.1.9789.1500
Value 4: 10.0.0.61
Value 5: 
Value 6: 
Value 7: 
Value 8: 
Value 9: 
Value 10: 
Ent Value 0: .1.3.6.1.4.1.9789.1500.1.154=[utm][INFO][154]
You may need to contact the manufacturer to find out why they traps come in this way, as they were originally correctly defined in the snmptt.conf file you supplied previously. They should come in with OID's like:
.1.3.6.1.4.1.9789.1500.2.25
.1.3.6.1.4.1.9789.1500.2.856

The fact they stop at 1500 is strange.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited