Snmp traps are coming as unknown

ericssonvietnam · Post by **ericssonvietnam** » Mon Nov 21, 2016 6:21 am

hi Support,

Even if i define EVENTS in snmptt.conf, still traps are comming as "unknown". Could you please help me troubleshooting it.

I am running, nagiosXI 5.2.9 on centos 6. My configuration goes as follows:-

Code: Select all

 In snmptt.ini 
  snmptt_conf_files = <<END
/etc/snmp/userdefined_snmptt.conf
/etc/snmp/snmptt.conf
END

[root@strmon snmp]# cat /etc/snmp/userdefined_snmptt.conf
EVENT TapeSuspended SNMPv2-SMI-v1::enterprises.11.2.36.1.0.4  "Status Events" Normal
FORMAT $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "$*"

EVENT TapeSuspended SNMPv2-SMI-v1::enterprises.11.2.36.1.0.5  "Status Events" Normal
FORMAT $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "$*"

EVENT TapeSuspended SNMPv2-SMI-v1::enterprises.789.0.134  "Status Events" Normal
FORMAT $*
EXEC /usr/local/bin/sinmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "$*"

EVENT TapeSuspended SNMPv2-SMI-v1::enterprises.789.0.532  "Status Events" Normal
FORMAT $*
EXEC /usr/local/bin/sinmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "$*"

EVENT TapeSuspended SNMPv2-SMI-v1::enterprises.789.0.666  "Status Events" Normal
FORMAT $*
EXEC /usr/local/bin/sinmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "$*"

EVENT TapeSuspended SNMPv2-SMI-v1::enterprises.789.0.85  "Status Events" Normal
FORMAT $*
EXEC /usr/local/bin/sinmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "$*"

EVENT TapeSuspended SNMPv2-SMI-v1::enterprises.789.0.85  "Status Events" Normal
FORMAT $*
EXEC /usr/local/bin/sinmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "$*"

EVENT TapeSuspended SNMPv2-SMI-v1::enterprises.789.0.87  "Status Events" Normal
FORMAT $*
EXEC /usr/local/bin/sinmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "$*"

Still after service restart, traps are coming in /var/log/snmptt/snmpttunknown.log as "unknown":-

Code: Select all

Mon Nov 21 16:46:47 2016: Unknown trap (SNMPv2-SMI-v1::enterprises.11.2.36.1.0.4) received from HOSTS at:
Value 0: HOSTS
Value 1: X.X.X.X
Value 2: 0:0:00:00.00
Value 3: SNMPv2-SMI-v1::enterprises.11.2.36.1.0.4
Value 4: X.X.X.X
Value 5:
Value 6:
Value 7:
Value 8:
Value 9:
Value 10:
Ent Value 0: SNMPv2-SMI-v1::enterprises.11.2.36.1.1.5.1.1.1.1=1
Ent Value 1: SNMPv2-SMI-v1::enterprises.11.2.36.1.1.5.1.1.4.1=1.3.6.1.4.1.11.10.2.1.3.25
Ent Value 2: SNMPv2-SMI-v1::enterprises.11.2.36.1.1.5.1.1.2.1=HPMSl
Ent Value 3: SNMPv2-SMI-v1::enterprises.11.2.36.1.1.5.1.1.5.1=http://X.X.X.X
Ent Value 4: SNMPv2-SMI-v1::enterprises.11.2.36.1.1.5.1.1.6.1=Command View MSL
Ent Value 5: SNMPv2-SMI-v1::enterprises.11.2.36.1.0.10=0x0001=Move event ;Event Code: =0x01 - move medium ;Task originator: =0x02 - CDB interpreter task ;Source element type.: =0x04 - tape drive ;Element number: =0x02, 2;Destination element type.: =0x02 - storage slot ;Element number: =0x3D, 61
Ent Value 6: SNMPv2-SMI-v1::enterprises.11.2.36.1.0.11=Unknown
Ent Value 7: SNMP-COMMUNITY-MIB::snmpTrapAddress.0=X.X.X.X
Ent Value 8: SNMP-COMMUNITY-MIB::snmpTrapCommunity.0=ubsmonitoring
Ent Value 9: SNMPv2-MIB::snmpTrapEnterprise.0=SNMPv2-SMI-v1::enterprises.11.2.36.1


[root@strmon snmp]# grep -w SNMPv2-SMI-v1::enterprises.11.2.36.1.0.4 ./*
./userdefined_snmptt.conf:EVENT TapeSuspended SNMPv2-SMI-v1::enterprises.11.2.36.1.0.4  "Status Events" Normal

Please suggest steps to fix it..

Post by **tgriep** » Mon Nov 21, 2016 2:46 pm

The formatting of the entries in your /etc/snmp/userdefined_snmptt.conf file look like they are incomplete and there are some spelling errors as well.
A typical entry should look like the example below.

Code: Select all

EVENT hpHttpMgOKHealthTrap .1.3.6.1.4.1.11.2.36.1.0.4 "Status Events" Normal
FORMAT The device's health has changed to OK. $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "The device's health has changed to OK. $*"
SDESC
The device's health has changed to OK.
Variables:
  1: hpHttpMgDeviceIndex
  2: hpHttpMgDeviceSysObjID
  3: hpHttpMgDeviceGlobalUniqueID
  4: hpHttpMgDeviceManagementURL
  5: hpHttpMgDeviceManagementURLLabel
  6: hpHttpMgDeviceSpecificEventCode
  7: hpHttpMgDeviceSpecificFRU
EDESC

The fastest way to fix this is to delete the bad entries and re-add them by running this command. You will need to specify the path and the name of the MIB file in the command.

Code: Select all

addmib /path/MIBfile

This will add the update the entries in the /etc/snmp/snmptt.conf file and you will need to restart the snmptt daemon for the changes to be applied.

Code: Select all

service snmptt restart

Try that and let us know if you have any other questions.

ssax · Post by **ssax** » Mon Nov 21, 2016 2:53 pm

What type of device is this?

Please send me the output of this command (run it on the XI server):

Code: Select all

grep -R 'SNMPv2-SMI-v1' /usr/share/snmp/mibs/*

Did you install the SNMPv2-SMI-v1 MIB?

Code: Select all

wget ftp://ftp.cisco.com/pub/mibs/v1/SNMPv2-SMI-V1SMI.my -O /usr/share/snmp/mibs/SNMPv2-SMI-V1SMI.my

If you restart SNMPTT does it output any messages?

Code: Select all

service snmptt restart

ericssonvietnam · Post by **ericssonvietnam** » Tue Dec 06, 2016 1:52 am

Sorry for delayed responce..i was on leave last week. Below are the requested data:-

"The formatting of the entries in your /etc/snmp/userdefined_snmptt.conf file look like they are incomplete and there are some spelling errors as well."
Entries are manually done for "OID's" apperiand as "UNKNOWN". I've replaced "SNMPv2-SMI-v1::enterprises" with ".1.3.6.4.1' in file. Will check and update if this changes make any difference.

"What type of device is this?"
I am trying to monitor storage hardware, like, tape, netapp, san switch..etc"

"output of this command grep -R 'SNMPv2-SMI-v1' /usr/share/snmp/mibs/*"

/usr/share/snmp/mibs/host-resources-mib.mib: FROM SNMPv2-SMI-v1
/usr/share/snmp/mibs/radlan-mib.mib: FROM SNMPv2-SMI-v1
/usr/share/snmp/mibs/SNMPv2-SMI-v1.mib:SNMPv2-SMI-v1 DEFINITIONS ::= BEGIN
/usr/share/snmp/mibs/snmpv2-tc-v1.mib:-- SNMPv2-SMI-v1 DEFINITIONS ::= BEGIN
/usr/share/snmp/mibs/snmpv2-tc-v1.mib:-- FROM SNMPv2-SMI-v1;

"service snmptt restart" : do not report any error.

ericssonvietnam · Post by **ericssonvietnam** » Tue Dec 06, 2016 3:40 am

Also,
@tgrip:- .1.3.6.1.4.1.11.2.36.1.0.4 is exactly defined as you said in snmpt.conf.

EVENT hpHttpMgOKHealthTrap .1.3.6.1.4.1.11.2.36.1.0.4 "Status Events" Normal
FORMAT The device's health has changed to OK. $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "SNMP Traps" "$s" "$@" "$-*" "The device's health has changed to OK. $*"
SDESC
The device's health has changed to OK.
Variables:
1: hpHttpMgDeviceIndex
2: hpHttpMgDeviceSysObjID
3: hpHttpMgDeviceGlobalUniqueID
4: hpHttpMgDeviceManagementURL
5: hpHttpMgDeviceManagementURLLabel
6: hpHttpMgDeviceSpecificEventCode
7: hpHttpMgDeviceSpecificFRU
EDESC

I've noticed above duplicate entry hence removed "userdefined_snmptt.conf" and restarted snmptt service. But still getting below entry in unknown logs.
Tue Dec 6 12:04:26 2016: Unknown trap (SNMPv2-SMI-v1::enterprises.11.2.36.1.0.4) received fromX>X>X>X>X at:
Value 0: X>X>X>X>X>X>
Value 1: X>X>X>X>X>
Value 2: 0:0:00:00.00
Value 3: SNMPv2-SMI-v1::enterprises.11.2.36.1.0.4
Value 4: 150.236.201.202
Value 5:
Value 6:
Value 7:
Value 8:
Value 9:
Value 10:
Ent Value 0: SNMPv2-SMI-v1::enterprises.11.2.36.1.1.5.1.1.1.1=1
Ent Value 1: SNMPv2-SMI-v1::enterprises.11.2.36.1.1.5.1.1.4.1=1.3.6.1.4.1.11.10.2.1.3.25
Ent Value 2: SNMPv2-SMI-v1::enterprises.11.2.36.1.1.5.1.1.2.1=X.X>X>X>X>X>
Ent Value 3: SNMPv2-SMI-v1::enterprises.11.2.36.1.1.5.1.1.5.1=http://X.>X>X>X>X>
Ent Value 4: SNMPv2-SMI-v1::enterprises.11.2.36.1.1.5.1.1.6.1=Command View MSL
Ent Value 5: SNMPv2-SMI-v1::enterprises.11.2.36.1.0.10=0x0042=Login event ;Event Code: =0x0A - login ;Task originator: =0x0F - Remote management interface ;Permission level: =0x02 - administrator
Ent Value 6: SNMPv2-SMI-v1::enterprises.11.2.36.1.0.11=Unknown
Ent Value 7: SNMP-COMMUNITY-MIB::snmpTrapAddress.0=X>X>X>X>X
Ent Value 8: SNMP-COMMUNITY-MIB::snmpTrapCommunity.0=X>X>X>X>X>
Ent Value 9: SNMPv2-MIB::snmpTrapEnterprise.0=SNMPv2-SMI-v1::enterprises.11.2.36.1

Uploading snmptt.ini(

snmptt.ini

) and snmpt.conf(

snmptt.conf

)

ssax · Post by **ssax** » Tue Dec 06, 2016 2:49 pm

I imported your /etc/snmp/snmptt.conf and /etc/snmp/snmptt.ini, restarted snmptt, and submitted the command manually and it worked for me so it's not likely a SNMPTT configuration issue.

Does it show in the unknown log if you manually submit it from the XI server's command line?

Code: Select all

snmptrap -v2c -cpublic 127.0.0.1 1431439518 SNMPv2-SMI-v1::enterprises.11.2.36.1.0.4 .1.3.6.1.2.1.2.2.1.1.1 i 1 .1.3.6.1.2.1.2.2.1.7.1 i 2 .1.3.6.1.2.1.2.2.1.8.1 i 2 .1.3.6.1.2.1.2.2.1.2.1 s Vlan1 .1.3.6.1.2.1.2.2.1.3.1 i 53 .1.3.6.1.4.1.9.2.2.1.1.20.1 s "administratively down" .1.3.6.1.6.3.18.1.3.0 a 172.29.2.254 .1.3.6.1.6.3.18.1.4.0 s LIV-NET .1.3.6.1.6.3.1.1.4.3.0 o .1.3.6.1.6.3.1.1.5

Please run this command and send us the resulting /tmp/SUPPORTFILES.zip file:

Code: Select all

zip -r /tmp/SUPPORTFILES.zip /etc/snmp /usr/share/snmp/mibs

Also, post the output of these commands:

Code: Select all

ls -lh /usr/sbin/snmptthandler
ls -lh /usr/local/bin

Thank you

ericssonvietnam · Post by **ericssonvietnam** » Wed Dec 07, 2016 1:46 am

Requested O/P:

[root@strmon mibs]# ls -lh /usr/sbin/snmptthandler
-rwxr-xr-x 1 root root 6.4K Oct 22 2012 /usr/sbin/snmptthandler
[root@strmon mibs]# ls -lh /usr/local/bin/
total 23M
-rwxr-xr-x 1 root nagios 804 Jun 29 16:48 addmib
-rwxr-xr-x 1 root root 2.4K Jun 29 16:48 snmptraphandling.py
-rwxr-xr-x 1 root root 30K Jun 29 16:48 snmpttconvertmib
-rwxr-xr-x. 1 root root 9.0M Dec 2 2011 winexe
-rwxr-xr-x. 1 root root 14M Dec 2 2011 wmic
[root@strmon mibs]#

it looks like there are couple of MIB's loaded generating error while snmptt restart. Definitely i need to clean them up. As they are more in numb, could please suggest best way to preform cleanup of non-functional MIB's?.

---
Below are the error reported by snmptt while restart..
...
Undefined identifier: hpSwitchBladeType5-Mgmt near line 23827 of /usr/share/snmp/mibs/gbe2c-1-10g-l2l3.mib
Unlinked OID in BLADETYPE5-NETWORK-MIB: acl ::= { hpSwitchBladeType5-Mgmt 9 }
Undefined identifier: hpSwitchBladeType5-Mgmt near line 22169 of /usr/share/snmp/mibs/gbe2c-1-10g-l2l3.mib
Unlinked OID in BLADETYPE5-NETWORK-MIB: bntTraps ::= { hpSwitchBladeType5-Mgmt 7 }
Undefined identifier: hpSwitchBladeType5-Mgmt near line 21911 of /usr/share/snmp/mibs/gbe2c-1-10g-l2l3.mib
Unlinked OID in BLADETYPE5-NETWORK-MIB: layer3 ::= { hpSwitchBladeType5-Mgmt 3 }
Undefined identifier: hpSwitchBladeType5-Mgmt near line 11056 of /usr/share/snmp/mibs/gbe2c-1-10g-l2l3.mib
Unlinked OID in BLADETYPE5-NETWORK-MIB: layer2 ::= { hpSwitchBladeType5-Mgmt 2 }
Undefined identifier: hpSwitchBladeType5-Mgmt near line 5873 of /usr/share/snmp/mibs/gbe2c-1-10g-l2l3.mib
Unlinked OID in BLADETYPE5-NETWORK-MIB: agent ::= { hpSwitchBladeType5-Mgmt 1 }
Undefined identifier: hpSwitchBladeType5-Mgmt near line 53 of /usr/share/snmp/mibs/gbe2c-1-10g-l2l3.mib
Unlinked OID in BLADETYPE5-NETWORK-MIB: hpProLiant-GbE2c-1-10G-InterconnectSwitch ::= { hpSwitchBladeType5-Products 1 }
Undefined identifier: hpSwitchBladeType5-Products near line 44 of /usr/share/snmp/mibs/gbe2c-1-10g-l2l3.mib
Did not find 'compaq' in module CPQHOST-MIB (/usr/share/snmp/mibs/cpqdsccs.mib)
Did not find 'sysName' in module RFC1213-MIB (/usr/share/snmp/mibs/cpqdsccs.mib)
Did not find 'sysDescr' in module RFC1213-MIB (/usr/share/snmp/mibs/cpqdsccs.mib)
Did not find 'sysContact' in module RFC1213-MIB (/usr/share/snmp/mibs/cpqdsccs.mib)
Did not find 'sysLocation' in module RFC1213-MIB (/usr/share/snmp/mibs/cpqdsccs.mib)
Unlinked OID in CPQDSCCS-MIB: cpqDsccs ::= { compaq 171 }
Undefined identifier: compaq near line 212 of /usr/share/snmp/mibs/cpqdsccs.mib
Expected "(" (_): At line 282 in /usr/share/snmp/mibs/nsainfo.mib
Should be ACCESS (Vectra): At line 282 in /usr/share/snmp/mibs/nsainfo.mib
Bad parse of OBJECT-TYPE: At line 282 in /usr/share/snmp/mibs/nsainfo.mib
Did not find 'enterprises' in module RFC1155-SMI (/usr/share/snmp/mibs/smsagent.mib)
Unlinked OID in SMSAGENT-MIB: unisys ::= { enterprises 223 }
Undefined identifier: enterprises near line 11 of /usr/share/snmp/mibs/smsagent.mib
Did not find 'enterprises' in module RFC1155-SMI (/usr/share/snmp/mibs/adaptec.mib)
Unlinked OID in CYCLONE-MIB: adaptec ::= { enterprises 795 }
Undefined identifier: enterprises near line 22 of /usr/share/snmp/mibs/adaptec.mib
Did not find 'compaq' in module CPQHOST-MIB (/usr/share/snmp/mibs/cpqlinos.mib)
Did not find 'sysName' in module RFC1213-MIB (/usr/share/snmp/mibs/cpqlinos.mib)
Unlinked OID in CPQLINOS-MIB: cpqLinOsMgmt ::= { compaq 23 }
Undefined identifier: compaq near line 42 of /usr/share/snmp/mibs/cpqlinos.mib
Did not find 'hh3c' in module HH3C-OID-MIB (/usr/share/snmp/mibs/hh3c-common-system-mib.mib)
Unlinked OID in HH3C-COMMON-SYSTEM-MIB: hh3cSystem ::= { hh3c 6 }
Undefined identifier: hh3c near line 34 of /usr/share/snmp/mibs/hh3c-common-system-mib.mib
Did not find 'hrMIBAdminInfo' in module HOST-RESOURCES-MIB (/usr/share/snmp/mibs/HOST-RESOURCES-TYPES.txt)
Did not find 'hrStorage' in module HOST-RESOURCES-MIB (/usr/share/snmp/mibs/HOST-RESOURCES-TYPES.txt)
Did not find 'hrDevice' in module HOST-RESOURCES-MIB (/usr/share/snmp/mi
.......
.....

ericssonvietnam · Post by **ericssonvietnam** » Wed Dec 07, 2016 2:36 am

i've preformed cleanup for all newly added MIB'S and tryied to execute your snmptrap test command.But nothing get logged snmpttunknown.log.Also it says module is missing but i can see it is there is same path.

/usr/share/snmp/mibs/SNMPv2-SMI.txt

snmptrap -v2c -cpublic 127.0.0.1 1431439518 SNMPv2-SMI-v1::enterprises.11.2.36.1.0.4 .1.3.6.1.2.1.2.2.1.1.1 i 1 .1.3.6.1.2.1.2.2.1.7.1 i 2 .1.3.6.1.2.1.2.2.1.8.1 i 2 .1.3.6.1.2.1.2.2.1.2.1 s Vlan1 .1.3.6.1.2.1.2.2.1.3.1 i 53 .1.3.6.1.4.1.9.2.2.1.1.20.1 s "administratively down" .1.3.6.1.6.3.18.1.3.0 a 172.29.2.254 .1.3.6.1.6.3.18.1.4.0 s LIV-NET .1.3.6.1.6.3.1.1.4.3.0 o .1.3.6.1.6.3.1.1.5
No log handling enabled - turning on stderr logging
Cannot find module (SNMPv2-SMI-v1): At line 0 in (none)
SNMPv2-SMI-v1::enterprises.11.2.36.1.0.4: Unknown Object Identifier

ericssonvietnam · Post by **ericssonvietnam** » Wed Dec 07, 2016 7:17 am

Looks like there was couple of issue:
1: Most of the MIB's loaded were reporting error at time of service snmptt restart : removed each of them
2: Node where integrated to XI with hostname only where as trap where coming from FQDN, Hence the mismatch: Fixed it by "strip_domain =1" in snmptt.ini

Now Traps are appearing as expected on XI portal.

Now only Q unanswered is why i am getting module missing even when file exists in path ( Q from last post i.e Cannot find module (SNMPv2-SMI-v1): At line 0 in (none)).

rkennedy · Post by **rkennedy** » Wed Dec 07, 2016 10:38 am

Now only Q unanswered is why i am getting module missing even when file exists in path ( Q from last post i.e Cannot find module (SNMPv2-SMI-v1): At line 0 in (none)).

You still appear to be missing the MIB file, what are the permissions on it? I suspect it's either permissions, or not done properly. Take a look at this link for a further explanation - http://www.net-snmp.org/FAQ.html#What_d ... IB___mean_

Nagios Support Forum

Snmp traps are coming as unknown

Snmp traps are coming as unknown

Re: Snmp traps are coming as unknown

Re: Snmp traps are coming as unknown

Re: Snmp traps are coming as unknown

Re: Snmp traps are coming as unknown

Re: Snmp traps are coming as unknown

Re: Snmp traps are coming as unknown

Re: Snmp traps are coming as unknown

Re: Snmp traps are coming as unknown

Re: Snmp traps are coming as unknown