All Categories
Home » Categories » Multiple Categories

SNMP Trap - snmptrapd Service
Article Number: 88 | Rating: 3/5 from 6 votes | Last Updated by rspielman on Wed, Jan 13, 2021 at 4:41 PM

snmptrapd Service

The snmptrapd service is what receives an SNMP Trap from the networking stack and then places it into a spool directory for the snmptt service to process.

These steps help confirm that the snmptrapd service is working correctly. Before proceeding you would have followed the other troubleshooting articles "Inbound UDP Traffic" and "Firewall Rules".

 

 

Editing Files

In many steps of this article you will be required to edit files. This documentation will use the vi text editor. When using the vi
editor:

  • To make changes press i on the keyboard first to enter insert mode
  • Press Esc to exit insert mode
  • When you have finished, save the changes in vi by typing :wq and press Enter

 

 

Is The snmptrapd Service Running?

Establish an SSH session to the Nagios server that is receiving SNMP Traps and execute the command for your operating system (OS):

 

RHEL 7+ | CentOS 7+ | Oracle Linux 7+ | Debian | Ubuntu 16/18/20

systemctl status snmptrapd.service

 

If snmptrapd is running, it should produce output like:

snmptrapd (pid  11612) is running...

 

If snmptrapd is NOT running, it will produce output like:

snmptrapd is stopped

 

If the snmptrapd service is NOT running, this means that spooled SNMP Traps will not be rejected. To ENABLE snmptrapd on boot and to start it, execute the following commands depending on your OS:

 

RHEL 7+ | CentOS 7+ | Oracle Linux 7+ | Debian | Ubuntu 16/18/20

systemctl enable snmptrapd.service
systemctl start snmptrapd.service

 

If snmptrapd is NOT installed, it will produce output like:

snmptrapd: unrecognized service

If you find that snmptrapd is not installed, you need to follow the guide "How to Integrate SNMP Traps With Nagios XI".

 

Also, you should confirm that the snmptt service is installed, if it is not then the snmptrapd service is going to have problems. Execute the command for your operating system (OS):

 

RHEL 7+ | CentOS 7+ | Oracle Linux 7+ | Debian | Ubuntu 16/18/20

systemctl status snmptt.service

 

If snmptt is running, it should produce output like:

snmptt (pid  11612) is running...

 

If snmptt is NOT running, it will produce output like:

snmptt is stopped

 

If you find that snmptt is not installed, you need to follow the guide "How to Integrate SNMP Traps With Nagios XI".

 

 

Restart snmptrapd Service

Steps below will require you to restart the snmptrapd service, the commands for your OS are as follows:

 

RHEL 7+ | CentOS 7+ | Oracle Linux 7+ | Debian | Ubuntu 16/18/20

systemctl restart snmptrapd.service

 

 

 

Stop snmptrapd Service

Steps below will require you to stop the snmptrapd service, the commands for your OS are as follows:

 

RHEL 7+ | CentOS 7+ | Oracle Linux 7+ | Debian | Ubuntu 16/18/20

systemctl stop snmptrapd.service

 

 

Confirm Traps Are Spooled

When SNMP Traps are working correctly they are placed into the spool folder by snmptrapd and almost instantly snmptt processes the spooled trap and then deletes it. In the following steps, we are going to stop the snmptt service so it does not process the trap. This lets you confirm that the received traps are actually being spooled.

To stop the snmptt service execute the command for your operating system (OS):

 

RHEL 7+ | CentOS 7+ | Oracle Linux 7+ | Debian | Ubuntu 16/18/20

systemctl stop snmptt.service

 

Which should produce the output like:

Stopping snmptt:                                           [  OK  ]

 

Next, from the device that sends SNMP Traps, get it to send through a trap.

Once received, it will be created as a file in /var/spool/snmptt/

To see if the file exists type the following command:

ls -al /var/spool/snmptt/

Which should show a directory listing of the spooled traps, for example they are named:

-rw-r--r--  1 root   root    395 Mar 25 11:43 #snmptt-trap-1427244215674243

 

You can view the contents of the trap with the following command:

cat /var/spool/snmptt/#snmptt-trap-1427244215674243

Which should output something like:

1427244215
snmpsender.domain.local
UDP: [10.25.5.20]:50655->[10.25.5.30]
DISMAN-EVENT-MIB::sysUpTimeInstance 0:1:10:08.85
SNMPv2-MIB::snmpTrapOID.0 SNMPv2-SMI::enterprises.20006.1.7
SNMPv2-SMI::enterprises.20006.1.3.1.2 "CentOS"
SNMPv2-SMI::enterprises.20006.1.3.1.6 "Users"
SNMPv2-SMI::enterprises.20006.1.3.1.7 0
SNMPv2-SMI::enterprises.20006.1.3.1.17 "USERS OK - 0 users currently logged in"

 

The first line is the number 1427244215, this is the time stamp of when the trap was received (epoch value).

 

 

Files Created in /var/spool/snmptt/

If you are seeing files being created in the directory /var/spool/snmptt/, then this confirms that snmptrap is correctly working.



Files NOT being created in /var/spool/snmptt/

If you are NOT seeing files being created in the directory /var/spool/snmptt/, then there may be a permissions issue. To check the permissions execute the command:

ls -dl /var/spool/snmptt/

Which should show the permissions as follows:

drwxrwxr-x 2 snmptt snmptt 4096 Mar 25 11:51 /var/spool/snmptt/

 

If the permissions and owner are not correct then execute these commands:

chown snmptt:snmptt /var/spool/snmptt/
chmod u+rwx,g+rwx,o+rx /var/spool/snmptt/

 

Then confirm the permissions are now correct:

ls -dl /var/spool/snmptt/

Once you have done this, from the device that sends SNMP Traps, get it to send through a trap. Then confirm it is created as a file in /var/spool/snmptt/.

 

If you are still NOT seeing files being created in the directory /var/spool/snmptt/, then there may be an issue with the snmptrapd configuration. To see the configuration execute the following command:

cat /etc/snmp/snmptrapd.conf

 

This shows the snmptrapd configuration file. This is a very basic file and should look like this:

disableAuthorization yes
traphandle default /usr/sbin/snmptthandler

If your snmptrapd.conf is different, please correct it (using an editor like "vi") and then restart the snmptrapd service.

 

You should also confirm that the following file exists and is at least version 1.2 by executing the following command:

/usr/sbin/snmptthandler --version

 

Which would produce this output:

SNMPTTHANDLER v1.2
(c) 2002-2007 Alex Burger

 

If you are still not receiving SNMP traps in the snmptt spool directory, please confirm the spool directory setting used by executing the following command:

grep spool_directory /etc/snmp/snmptt.ini

 

Which should produce this output:

spool_directory = /var/spool/snmptt/

 

Please confirm this directory exists AND the permissions are correct (covered in an earlier section in this article).

 

Another problem which can delay SNMP traps arriving in the snmptt spool directory can be caused by slow DNS lookups.

In some implementations it has been observed that it took four hours from when the UDP traffic was observed hitting the Nagios server to when the trap file was created in the spool directory. In this specific instance the customer was using an external DNS server (8.8.8.8 = Google public DNS server).

To stop snmptrapd from performing DNS lookups edit the file:

/etc/init.d/snmptrapd

 

Change the OPTIONS (line 29) so it has the -n argument:

OPTIONS="-n -Lsd -p /var/run/snmptrapd.pid"

 

Save the file and restart the snmptrapd service.

 

If you are still having problems, your next step is to enable logging.

 

 

snmptrapd Logging

These steps explain how to enable the snmptrapd daemon to logging it's output to a file. This is useful for determining exactly what snmptrapd is doing with the SNMP Traps it receives.

To enable the option you need to edit the INIT script to add an extra option. The steps are slightly different depending on the operating system version being used:

 

RHEL 6 | CentOS 6 | Oracle Linux 6

Edit the /etc/sysconfig/snmptrapd file:

Find this line:

OPTIONS="-Ln -p /var/run/snmptrapd.pid"

 

Add -Lf /var/log/snmptrapd.log to the line:

OPTIONS="-Ln -Lf /var/log/snmptrapd.log -p /var/run/snmptrapd.pid"

 

Now restart the SNMPTRAPD service:

service snmptrapd restart

You can now proceed to the Check Log File section below.

 

RHEL 7 | CentOS 7 | Oracle Linux 7

Edit the /etc/sysconfig/snmptrapd file:

Add this line:

OPTIONS="-Lsd -Lf /var/log/snmptrapd.log"

 

Now restart the SNMPTRAPD service:

systemctl daemon-reload
systemctl restart snmptrapd.service

You can now proceed to the Check Log File section below.

 

Ubuntu 16

Edit the /etc/default/snmptrapd file:

Find this line:

TRAPDOPTS='-Lsd -p /run/snmptrapd.pid'

 

Add -Lf /var/log/snmptrapd.log to the line:

TRAPDOPTS='-Lsd -Lf /var/log/snmptrapd.log -p /run/snmptrapd.pid'

 

Now restart the SNMPTRAPD service:

systemctl daemon-reload
systemctl restart snmptrapd.service

You can now proceed to the Check Log File section below.

 

Debian 9 | Ubuntu 18

Execute the following command:

systemctl edit snmptrapd.service

 

Paste the following into the new file:

[Service]
ExecStart=
ExecStart=/usr/sbin/snmptrapd -Ln -f -Lf /var/log/snmptrapd.log

 

Now restart the SNMPTRAPD service:

systemctl daemon-reload
systemctl restart snmptrapd.service

You can now proceed to the Check Log File section below.

 

Check Log File

This adds a line to the snmptrapd.conf file to enable logging. The snmptrapd activity is now logged in :

/var/log/snmptrapd.log

You can watch the log information by running this command:

tail -f /var/log/snmptrapd.log


Which should product output like:

NET-SNMP version 5.7.2
2015-03-25 13:25:45 snmpsender.box293.local [UDP: [10.25.5.20]:53145->[10.25.5.30]]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1033824) 2:52:18.24    SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.20006.1.7    SNMPv2-SMI::enterprises.20006.1.3.1.2 = STRING: "CentOS"    SNMPv2-SMI::enterprises.20006.1.3.1.6 = STRING: "Users"    SNMPv2-SMI::enterprises.20006.1.3.1.7 = INTEGER: 1SNMPv2-SMI::enterprises.20006.1.3.1.17 = STRING: "USERS WARNING - 1 users currently logged in"

 

 

snmptrapd Debug Output

These steps explain how to start the snmptrapd daemon to log more verbose debug output to the screen. This is useful for determining exactly what snmptrapd is doing with the SNMP Traps it receives.

First you need to stop the snmptrapd service. by executing the command for your OS.

 

Now execute the following command to start snmptrapd in the console:

snmptrapd -D -f -Loe

Any traps received will now be output on the screen. You can use this output to help troubleshoot snmptrapd issues you may be having.

 

When you have finished, press CTRL + C to stop snmptrapd and then start the service so it resumes normal operation.

 

 

Start snmptt Service

Once you've completed troubleshooting make sure you start the snmptt service again with the following command for your operating system (OS):

 

RHEL 7+ | CentOS 7+ | Oracle Linux 7+ | Debian | Ubuntu 16/18/20

systemctl start snmptt.service

 

Then confirm the spooled files have been processed with the following command:

ls -al /var/spool/snmptt/

Which should show an empty directory listing.

 

 

Conclusion

With these steps you will be able to confirm if the snmptrapd service is correctly receiving SNMP Traps from a remote server.

Your next troubleshooting step would be to refer to the snmptt Service troubleshooting.

 

 

Final Thoughts

For any support related questions please visit the Nagios Support Forums at:

http://support.nagios.com/forum/
Posted by: on Tue, Mar 24, 2015 at 8:38 PM. This article has been viewed 61406 times.
Filed Under: SNMP Traps, Troubleshooting
3 (6)
Article Rating (6 Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
SNMP Trap - snmptt Service
Viewed 41382 times since Tue, Mar 24, 2015
SNMP traps are now showing UNKNOWN for the sender IP
Viewed 3730 times since Tue, Jan 19, 2021
Nagios XI - SNMP Trap Hardening
Viewed 10925 times since Tue, Nov 6, 2018
Nagios XI - How SNMP Traps Work
Viewed 5268 times since Mon, Nov 18, 2019
Nagios XI - Receiving IPv6 SNMP Traps
Viewed 7952 times since Thu, Apr 28, 2016
SNMP Trap - Firewall Rules
Viewed 22843 times since Tue, Mar 24, 2015
Nagios XI - Update Default snmptt.conf EVENT
Viewed 8122 times since Mon, Nov 28, 2016
SNMP Trap - Inbound UDP Traffic
Viewed 23746 times since Tue, Mar 24, 2015
SNMP Traps - Nagios XI and NSTI - MIB Uploading
Viewed 6329 times since Tue, Apr 28, 2015
Nagios XI - Receiving SNMP Traps From Nagios Network Analyzer
Viewed 5916 times since Mon, Oct 17, 2016
Subscribe to knowledge base
Get notified when new articles are added to the knowledge base.
Nagios