SourceForge.net SNMPTT Project Buy Me a Coffee at ko-fi.com

SNMP Trap Translator v1.5beta2

(SNMPTT)

This file was last updated on: November 27th, 2021

License

SNMPTT

License

Copyright 2002-2021 Alex Burger
[email protected]
4/3/2002

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

What is it?

SNMPTT (SNMP Trap Translator) is an SNMP trap handler written in Perl for use with the Net-SNMP snmptrapd program (www.net-snmp.org). SNMPTT supports Linux, Unix and Windows.

Many network devices including but not limited to network switches, routers, remote access servers, UPSs, printers and operating systems such as Unix and Windows have the ability to send notifications to an SNMP manager running on a network management station. The notifications can be either SNMP Traps, or SNMP Inform messages.

The notifications can contain a wide array of information such as port failures, link failures, access violations, power outages, paper jams, hard drive failures etc. The MIB (Management Information Base) available from the vendor determines the notifications supported by each device.

The MIB file contains TRAP-TYPE (SMIv1) or NOTIFICATION-TYPE (SMIv2) definitions, which define the variables that are passed to the management station when a particular event occurs.

The Net-SNMP program snmptrapd is an application that receives and logs SNMP trap and inform messages via TCP/IP. Following is a sample syslog entry for a Compaq cpqDa3LogDrvStatusChange trap that notifies that the drive array is rebuilding using numeric OIDs:

Feb 12 13:37:10 server11 snmptrapd[25409]: 192.168.110.192: Enterprise Specific Trap (3008) Uptime: 306 days, 23:13:24.29, .1.3.6.1.2.1.1.5.0 = SERVER08, .1.3.6.1.4.1.232.11.2.11.1.0 = 0, .1.3.6.1.4.1.232.3.2.3.1.1.4.8.1 = rebuilding(7)

Here is the same trap using symbolic OIDs.

Feb 12 13:37:10 server11 snmptrapd[25409]: 192.168.110.192: Enterprise Specific Trap (3008) Uptime: 306 days, 23:13:24.29, sysName.0 = SERVER08, cpqHoTrapFlags.0 = 0, cpqDaLogDrvStatus.8.1 = rebuilding(7)

The output from snmptrapd can be changed via the -O option to display numeric or symbolic OIDs and other display options, but it generally follows the format of variable name = value, variable name = value etc.

A more descriptive / friendly trap message can be created using SNMPTT's variable substitution. Following is the same trap, logged with SNMPTT:

Feb 12 13:37:13 server11 TRAPD: .1.3.6.1.4.1.232.0.3008 Normal "LOGONLY" server08 - Logical Drive Status Change: Status is now rebuilding

The definition for the cpqDa3LogDrvStatusChange trap in the SNMPTT configuration file would be defined as follows:

FORMAT Logical Drive Status Change: Status is now $3.

The $3 represents the third variable as defined in the MIB file, which for this particular trap, is the cpqDaLogDrvStatus variable.

Another example of an SNMPTT configuration entry is:

FORMAT Compaq Drive Array Spare Drive on controller $4, bus $5, bay $6 status is $3.

Which could result in the following output:

"Compaq Drive Array Spare Drive on controller 3, bus 0, bay 3 status is Failed."

SNMPTT can log to any of the following destinations: text log, syslog, Windows Event log or a SQL database such as MySQL, PostreSQL or an ODBC accessible database such as Microsoft SQL. External programs can also be run to pass th e translated trap to an email client, paging software, Nagios, Icinga etc.

In addition to variable substitution, SNMPTT allows complex configurations allowing:

As of SNMPTT 1.5, both IPv4 and IPv6 are supported.

Downloading

SNMPTT can be downloaded from the Sourceforge files page. The primary git source code repository is avaialble at Sourceforge and a mirror is available at GitHub.

Requirements

Perl Modules

R/O Program / Module rpm deb
Required Net-SNMP (formerly known as UCD-SNMP). Specifically snmptrapd. net-snmp, net-snmp-utils snmp, snmptrapd
Required Text::ParseWords module (included with most distributions) perl-Text-ParseWords
Required Getopt::Long module (included with most distributions)
Required Posix module (included with most if not all distributions)
Required Config::IniFiles module perl-Config-IniFiles libconfig-inifiles-perl
Required Time::HiRes module (only required when using SNMPTT in daemon mode - required by snmptthandler) perl-Time-HiRes libtime-hires-perl
Required Sys::Hostname module (included with most if not all distributions).
Required File::Basename module (included with most if not all distributions).
Required Text::Balanced module (included with most if not all distributions).
Optional Net::IP module. Required for IPv6 support. perl-Net-IP libnet-ip-perl
Optional IO::Socket::IP module (included with most if not all distributions). Required for DNS translations.
Optional Sys::Syslog module (included with most Unix distributions). Required for Syslog support using Unix sockets (local syslog). perl-Sys-Syslog
Optional Log::Syslog::Fast and Log::Syslog::Constants modules. Required for remote syslog and RFC5424 support.
Optional DBI module. Required for DBD::MySQL, DBD::PgPP and DBD::ODBC support. perl-DBI libclass-dbi-perl
Optional DBD::mysql module. Required for MySQL support. perl-DBD-MySQL libdbd-mysql-perl
Optional DBD::PgPP or DBD:Pg module. Required for PostgreSQL support. perl-DBD-Pg libdbd-pg-perl
Optional DBD::ODBC module. Required for ODBC (SQL etc) access on Linux / Windows (Win32::ODBC not required if using DBD::ODBC) perl-DBD-ODBC libdbd-odbc-perl
Optional Win32::ODBC module. Required for ODBC (SQL etc) access on Windows (DBD::ODBC not required if using Win32::ODBC)
Optional Net-SNMP Perl module. Only required for features that perform conversions between symbolic and numeric OIDs. This is NOT the same as the Net::SNMP module availabe from CPAN. net-snmp-perl libsnmp-perl
Optional threads and Thread::Semaphore modules (included with most if not all distributions). Required when enabling threads for EXEC statements. perl-threads libthreads-perl
Optional Digest::MD5 module (included with most if not all distributions). Required when enabling duplicate trap detection. perl-Digest-MD5 libdigest-md5-perl


All development and testing was done with Linux, Windows 2000 or higher and various versions of Net-SNMP from UCD SNMP v4.2.1 to the current Net-SNMP 5.7.x release. The Windows version has been tested with both native mode and under Cygwin.

SNMP V1, V2 and V3 traps have been tested.

The latest version of Net-SNMP is recommended.

Note:

What's New

v1.5beta2 - November 27th, 2021

v1.5beta1 - March 25th, 2021

v1.4.2 - July 23rd, 2020

v1.4 - November 6th, 2013

v1.3 - November 15th, 2009

v1.2 - June 16th, 2007

v1.1 - January 17th, 2006

1.0 - August 30, 2004

0.9 - November 3rd, 2003

0.8 - September 16th, 2003

0.7 - April 17th, 2003

0.6 - March 25th, 2003

0.5 - February 12th, 2003

0.4 - November 18th, 2002

0.3 - September 11th, 2002

0.2 - July 10th, 2002

0.1 - April 18th, 2002

Upgrading

v1.5beta1 to v1.5beta2

To upgrade from v1.5beta1 to v1.5beta2 you should:

  1. Replace snmptt with the new version. Make sure the file is executable (chmod +x filename).
  2. Replace snmptthandler-embedded with the new version. Make sure the file is executable (chmod +x filename).
  3. For systemd systems, replace the snmptt.service service file with the new version.
  4. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it.
  5. Secure your /etc/snmp or /etc/snmptt folder as described in the Securing SNMPTT section of the documentation.

v1.4.2 to v1.5beta1

To upgrade from v1.4.2 to v1.5beta1 you should:

  1. Replace snmptt with the new version. Make sure the file is executable (chmod +x filename).
  2. Replace snmpttconvertmib with the new version. Make sure the file is executable (chmod +x filename).
  3. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it.
  4. To enable IPv6 support, set ipv6_enable = 1 in snmptt.ini.

Notes:

  1. Starting with v1.5, you can use /etc/snmptt/ instead of /etc/snmp/ for your snmptt.ini file.
  2. DNS now requires the Perl module IO::Socket::IP.
  3. IPv6 requires the Perl module Net::IP.

v1.4 to v1.4.2

To upgrade from v1.4 to v1.4,1, you should:

  1. Replace snmptt with the new version. Make sure the file is executable (chmod +x filename).
  2. Confirm that the snmptt user account is a member of the appropriate groups such as nagios for Nagios and icingacmd for Icinga2.
  3. Backup your snmptt.ini file and then add the new option daemon_gid = snmptt below daemon_uid.
  4. To increase security:

    • If you are not currently using daemon mode and are running as root, please switch to daemon mode or run as different user such as snmptt.
    • Secure the spool folder with:

    • chown -R snmptt.snmptt /var/spool/snmptt

    • chmod -R 750 /var/spool/snmptt

    • Secure the /etc/snmp folder with

    • chown -R root.root /etc/snmp

    • chmod 755 /etc/snmp
    • chown snmptt.snmptt /etc/snmp/snmptt*
    • chmod 660 /etc/snmp/snmptt*

v1.3 to v1.4

To upgrade from v1.3 to v1.4, you should:

  1. Replace snmptt and snmptthandler-embedded with the new versions. Make sure the files are executable (chmod +x filename).
  2. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it. The only change is the addition of the net_snmp_perl_cache_enable option.
  3. Check your snmptt.conf files for any traps defined with LOGONLY. These entries will no longer have EXEC lines executed. In previous versions EXEC was exectued when it should not have been.
  4. The new snmptt.ini option net_snmp_perl_cache_enable defaults to on, so disable if required.

v1.2 to v1.3

To upgrade from v1.2 to v1.3, you should:

  1. Replace snmptt and snmpttconvertmib with the new versions. Make sure the files are executable (chmod +x filename).
  2. Copy snmptt-init.d to /etc/init.d/snmptt. Make sure the file is executable (chmod +x filename).
  3. Optional: Install and configure the snmptthandler-embedded trap handler. See Embedded handler for details.
  4. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it. The default log paths have changed so modify as needed.
  5. Setup log rotation by copying snmptt.logrotate to /etc/logrotate.d/snmptt and modifying as needed for the correct paths, rotate frequency etc.
  6. Enable any new features in snmptt.ini as required.

v1.1 to v1.2

To upgrade from v1.1 to v1.2, you should:

  1. Replace snmptt and snmpttconvertmib with the new versions contained in the v1.2 package. Make sure the files are executable (chmod +x filename).
  2. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it.
  3. Enable any new features in snmptt.ini as required.
  4. For Linux and Unix (or anything non-Windows), if you are using the daemon_uid option in snmptt.ini, and are monitoring the availability of snmptt by checking for the snmptt process, be aware that there will now be two snmptt processes running instead of one.
  5. For Linux and Unix (or anything non-Windows), the snmptt.ini exec_escape option is enabled by default which will escape wildcard characters (* and ?) for EXEC, PREEXEC and the unknown_trap_exec commands. Disable if required.

v1.0 to v1.1

To upgrade from v1.0 to v1.1, you should:

  1. Replace snmptt and snmpttconvertmib with the new versions contained in the v1.1 package. Make sure the files are executable (chmod +x filename).
  2. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it.
  3. Enable any new features in snmptt.ini as required.

v0.9 to v1.0

To upgrade from v0.9 to v1.0, you should:

  1. Replace snmptt, snmpttconvert, snmpttconvertmib, and snmptthandler with the new versions contained in the v1.0 package. Make sure the files are executable (chmod +x filename).
  2. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it
  3. If you are using a MySQL, PostgreSQL or ODBC (via DBD::ODBC) and do not want the database to be pinged before each INSERT, set mysql_ping_on_insert, postgresql_ping_on_insert or dbd_odbc_ping_on_insert to 0 in snmptt.ini. If you do not want the database to be pinged periodically, set mysql_ping_interval, postgresql_ping_interval or dbd_odbc_ping_interval to 0 in snmptt.ini.
  4. Enable any new features in snmptt.ini as required
  5. Test and report any issues to [email protected], or open a bug report at Sourceforge.

v0.8 to v0.9

To upgrade from v0.8 to v0.9, you should:

  1. Replace snmptt with the new version contained in the v0.9 package. Make sure the file is executable (chmod +x filename)
  2. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it
  3. If you have any external applications that monitor the syslog for SNMPTT or TRAPD messages, modify them to look for snmptt[pid] and snmptt-sys[pid] instead
  4. Enable any new features in snmptt.ini as required
  5. Test and report any issues to [email protected], or open a bug report at Sourceforge.

v0.7 to v0.8

To upgrade from v0.7 to v0.8, you should:

  1. Replace snmptt and snmpttconvertmib with the new versions contained in the v0.8 package. Make sure the files are executable (chmod +x filename)
  2. Replace your /etc/rc.d/init.d/snmptt file (cp snmptt-init.d /etc/rc.d/init.d/snmptt). Make sure the file is executable (chmod +x filename)
  3. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it
  4. In your snmptt.ini file, configure translate_log_trap_oid with translate_trap_oid value from old snmptt.ini
  5. In your snmptt.ini file, configure translate_value_oids with translate_oids value from old snmptt.ini
  6. In your snmptt.ini file, set dynamic_nodes to 1 if you want the NODES files to be loaded each time an event is processed which is how previous versions of snmptt worked
  7. In your snmptt.conf files, replace any $A with $aA unless you want agent host names to be used instead of IP addresses
  8. In your snmptt.conf files, replace any $E with $e unless you want Enterprise trap OID in symbolic format
  9. In your snmptt.conf files, replace any $O with $o unless you want Trap OID in symbolic format
  10. In your snmptt.conf files, append a g to the end of all REGEX lines to enable global search and replace
  11. Review other translate settings in snmptt.ini
  12. Enable any new features in snmptt.ini as required
  13. If you are using database logging, add a new column called trapoid
  14. If you are using database logging and you enable conversions of OIDs to long names, make sure the table columns are wide enough to hold them
  15. Test and report any issues to [email protected], or open a bug report at Sourceforge.

v0.6 to v0.7

To upgrade from v0.6 to v0.7, you should:

  1. Replace SNMPTT and SNMPTTCONVERTMIB with the new versions contained in the v0.7 package
  2. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it
  3. Enable any new features in snmptt.ini as required
  4. Test and report any issues to [email protected], or open a bug report at Sourceforge.

v0.5 to v0.6

To upgrade from v0.5 to v0.6, you should:

  1. Replace SNMPTTHANDLER, SNMPTT and SNMPTTCONVERTMIB with the new versions contained in the v0.6 package
  2. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it
  3. Enable any new features in snmptt.ini as required
  4. Test and report any issues to [email protected], or open a bug report at Sourceforge.

v0.4 to v0.5

To upgrade from v0.1, v0.2 to v0.3 to v0.4, you should:

  1. Set use_trap_time to 0 to have SNMPTT operate the same as v0.4, or leave as 1 (recommended default) and test
  2. Replace both SNMPTTHANDLER and SNMPTT with the new versions contained in the v0.5 package
  3. Backup your snmptt.ini file, replace it with the new version, and make any necessary configuration changes to it

v0.1, v0.2 or v0.3 to v0.4

To upgrade from v0.1, v0.2 to v0.3 to v0.4, you should:

  1. In your snmptt.conf file, replace all $x with $x $X (see What's New section)
  2. In your snmptt.conf file, replace all $S with $N (see What's New section)
  3. Configure the snmptt.ini as described in this file - configuration options are no longer stored in the snmptt and snmptthandler scripts
  4. If your snmptt.conf file contained a list of other snmptt.conf files instead of trap definitions, move that list to the snmptt.ini file

Installation

Overview

SNMPTT can be run in either daemon mode or standalone mode. Daemon mode is recommended. See Modes of Operation for more details.

The following outlines the general steps required to install and configure SNMPTT:

  1. Install Net-SNMP and SNMPTT as described below.
  2. Copy the sample snmptt.conf to your configuration folder.
  3. Modify snmptt.ini to include the snmptt.conf file and set any desired options.
  4. Start SNMPTT.
  5. Test using the sample trap file.
  6. Create an snmptt.conf file by hand, or using snmpttconvertmib.
  7. Configure your network devices to send traps to the Net-SNMP / SNMPTT machine.
  8. Initiate a trap on your network device and check the SNMPTT log files for the result.
  9. Secure the SNMPTT installation.

Installation - Unix

Package Manager

Packages are available for most Linux distributions and FreeBSD. Check your package manager to see if they have the latest version. If not, you can manually install using the steps below.

Manual installation

Steps:

  1. Copy snmptt to /usr/sbin/ and ensure it is executable (chmod +x snmptt):

    cp snmptt /usr/sbin/
    chmod +x snmptt
    
  2. Copy snmptt.ini to /etc/snmp/ or /etc/ and edit the options inside the file:

    cp snmptt.ini /etc/snmp/
    

    and

    vi /etc/snmp/snmptt.ini
    
  3. Either copy examples/snmptt.conf.generic to /etc/snmp/snmptt.conf (renaming the file during the copy) or use the touch command to create the file (touch /etc/snmp/snmptt.conf).

    cp examples/snmptt.conf.generic /etc/snmp/snmptt.conf
    

    or

    touch /etc/snmp/snmptt.conf
    
  4. Create the log folder /var/log/snmptt/:

    mkdir /var/log/snmptt
    
  5. Create the spool folder /var/spool/snmptt/:

    mkdir /var/spool/snmptt/
    
  6. Startup scripts are included for SysVinit and SystemD systems.

    1. SysVinit:

      1. Copy the script:

        cp snmptt-init.d /etc/rc.d/init.d/snmptt
        
      2. Add the service using chkconfig:

        chkconfig --add snmptt
        
      3. Configure the service to start at runlevel 2345:

        chkconfig --level 2345 snmptt on
        
      4. Start the service:

        service snmptt start
        
    2. Systemd:

      1. Copy the script:

        cp snmptt.service /usr/lib/systemd/system/snmptt.service
        
      2. Enable the service:

        systemctl enable snmptt.service
        
      3. Start the service:

        systemctl start snmptt.service
        
    3. Manually starting without SystemD or SysVinit:

          snmptt --daemon
      
  7. Check syslog to ensure SNMPTT started properly:

    grep snmptt /var/log/messages
    

    Example log messages:

    snmptt-sys[31442]: SNMPTT 1.4.2 started
    snmptt-sys[31442]: Loading /etc/snmp/snmptt.conf
    snmptt-sys[31442]: Finished loading 89 lines from /etc/snmp/snmptt.conf
    snmptt: PID file: /var/run/snmptt.pid
    snmptt-sys[31446]: Configured daemon_uid: snmptt
    snmptt-sys[31446]: Changing to UID: snmptt (1002), GID: snmptt (1002)
    
  8. A log rotation script is included which can be used to rotate the log files on Red Hat and other systems. Copy the file to the logrotate.d directory (renaming the file during the copy):

    cp snmptt.logrotate /etc/logrotate.d/snmptt
    

    Edit the /etc/logrotate.d/snmptt and update the paths and rotate frequency as needed.

    vi /etc/logrotate.d/snmptt
    

Next we will install the Net-SNMP handler. There are two options: The standard handler and the embedded handler.

Net-SNMP Standard handler

The standard handler is a small Perl program that is called by snmptrapd each time a trap is received when using daemon mode. The limitations of this handler are:

The benefits of using this handler are:

Steps:

  1. Copy snmptthandler to /usr/sbin/ and ensure it is executable (chmod +x snmptthandler).

    cp snmptthandler /usr/sbin/
    chmod +x /usr/sbin/snmptthandler
    
  2. For SNMPTT daemon mode:

    1. Modify (or create) the Net-SNMP snmptrapd.conf file by adding the following lines:

      disableAuthorization yes
      traphandle default /usr/sbin/snmptthandler
      

      Note: You can locate the snmptrapd.conf file by running:

      snmpconf -i
      
  3. For SNMPTT standlone mode:

    1. Modify (or create) the Net-SNMP snmptrapd.conf file by adding the following lines:

      disableAuthorization yes
      traphandle default /usr/sbin/snmptt
      

      Note: You can locate the snmptrapd.conf file by running:

      snmpconf -i
      

      Note: It is possible to configure snmptrapd to execute snmptt based on the specific trap received, but using the default option is preferred

  4. Permanently change snmptrapd to use the -On option by modifying the startup script:

    1. Systemd:

      Edit the unit file and add the -On option:

      systemctl edit --full snmptrapd.service
      

      Change:

      Environment=OPTIONS="-Lsd"
      

      to:

      Environment="OPTIONS=-Lsd -On"
      

      Note: Move the first quote to before OPTIONS.

    2. SysVinit:

      Edit the /etc/rc.d/init.d/snmptrapd file and add "-On" to OPTIONS:

      vi /etc/rc.d/init.d/snmptrapd
      

      Change:

      OPTIONS="-Lsd"
      

      to:

      OPTIONS="-Lsd -On"
      

    Note: The -On option is recommended. This will make snmptrapd pass OIDs in numeric form and prevent SNMPTT from having to translate the symbolic name to numerical form. If the Net-SNMP Perl module is not installed, then you MUST use the -On switch. Depending on the version of Net-SNMP, some symbolic names may not translate correctly. See the FAQ for more info.

    As an alternative, you can edit the /etc/snmp/snmp.conf file to include the line: printNumericOids 1. This setting will take effect no matter what is used on the command line.

  5. Start / restart snmptrapd using service or systemctl:

    service snmptrapd restart
    systemctl restart snmptrapd
    
  6. Check syslog to ensure SNMPTT started properly:

    grep snmptrapd /var/log/messages
    
  7. Follow the steps in the section Securing SNMPTT to ensure SNMPTT has been configured securely.

Net-SNMP Embedded handler

The embedded handler is a small Perl program that is loaded directly into snmptrapd when snmptrapd is started. The limitations of this handler are:

The benefits of using this handler are:

Steps:

  1. Make sure snmptrapd has embedded Perl support enabled. To see if it's enabled in your installation, type:

    snmptrapd -H 2>&1 | grep perl
    

    If it returns perl PERLCODE then embedded Perl is enabled. If it's not enabled, you will need to find another Net-SNMP package with it enabled, or compile Net-SNMP using the --enable-embedded-perl configure option.

  2. Copy snmptthandler-embedded to /usr/sbin/. It does not need to be executable as it is called directly by snmptrapd.

    cp snmptthandler-embedded /usr/sbin/
    
  3. Configure snmptrapd and install the service:

    Modify (or create) the Net-SNMP snmptrapd.conf file by adding the following line:

    disableAuthorization yes
    perl do "/usr/sbin/snmptthandler-embedded"
    

    Note: You can locate the snmptrapd.conf file by running:

    snmpconf -i
    
  4. Permanently change snmptrapd to use the -On option by modifying the startup script:

    1. Systemd:

      Edit the unit file and add the -On option:

      systemctl edit --full snmptrapd.service
      

      Change:

      Environment=OPTIONS="-Lsd"
      

      to:

      Environment="OPTIONS=-Lsd -On"
      

      Note: Move the first quote to before OPTIONS.

    2. SysVinit:

      Edit the /etc/rc.d/init.d/snmptrapd file and add "-On" to OPTIONS:

      vi /etc/rc.d/init.d/snmptrapd
      

      Change:

      OPTIONS="-Lsd"
      

      to:

      OPTIONS="-LsdOn"
      

    Note: The -On option is recommended. This will make snmptrapd pass OIDs in numeric form and prevent SNMPTT from having to translate the symbolic name to numerical form. If the Net-SNMP Perl module is not installed, then you MUST use the -On switch. Depending on the version of Net-SNMP, some symbolic names may not translate correctly. See the FAQ for more info.

    As an alternative, you can edit the /etc/snmp/snmp.conf file to include the line: printNumericOids 1. This setting will take effect no matter what is used on the command line.

  5. Start / restart snmptrapd using service or systemctl:

    service snmptrapd restart
    systemctl restart snmptrapd
    
  6. Check syslog to ensure SNMPTT started properly:

    grep snmptrapd /var/log/messages
    
  7. Follow the steps in the section Securing SNMPTT to ensure SNMPTT has been configured securely.

Note: The default snmptt.ini enables logging to snmptt.log and also syslog for both trap messages and snmptt system messages. Change the following settings if required: log_enable, syslog_enable and syslog_system_enable.

Installation - Windows

The Net-SNMP trap receiver does not currently support embedded Perl, so only the standard trap handler can be used with Windows.

  1. Create the directory c:\snmp and copy snmptt and snmptthandler to it.

    md c:\snmp
    copy snmptt c:\snmpt\
    copy snmptthandler c:\snmp\
    
  2. Copy snmptt.ini-nt to %SystemRoot%\snmptt.ini (c:\windows\snmptt.ini) and edit the options inside the file.

    cp snmptt.ini-nt %SystemRoot%\snmptt.ini
    
  3. Either copy examples\snmptt.conf.generic to c:\snmp\snmptt.conf (renaming the file during the copy) or create the file using notepad.

    copy examples\snmptt.conf.generic c:\snmp\snmptt.conf  
    notepad c:\snmp\snmptt.conf
    
  4. Create the log folder c:\snmp\log\.

    md c:\snmp\log
    
  5. For SNMPTT standlone mode:

    1. Modify (or create) the Net-SNMP snmptrapd.conf file by adding the following line:

      traphandle default perl c:\snmp\snmptt
      

      Note: It is possible to configure snmptrapd to execute snmptt based on the specific trap received, but using the default option is preferred

  6. For SNMPTT daemon mode:

    1. Modify (or create) the Net-SNMP snmptrapd.conf file by adding the following line:
      traphandle default perl c:\snmp\snmptthandler
      
  7. Create the spool folder c:\snmptt\spool\.

    md c:\snmptt\spool
    
  8. Launch snmptt using:

    snmptt --daemon
    
  9. Start SNMPTRAPD using the command line: SNMPTRAPD -On:

    snmptrapd -On
    

    Note: The -On is recommended. This will make snmptrapd pass OIDs in numeric form and prevent SNMPTT from having to translate the symbolic name to numerical form. If the Net-SNMP Perl module is not installed, then you MUST use the -On switch. Depending on the version of Net-SNMP, some symbolic names may not translate correctly. See the FAQ for more info.

    As an alternative, you can edit your /etc/snmp/snmp.conf file to include the line: printNumericOids 1. This setting will take effect no matter what is used on the command line.

  10. Follow the steps in the section Securing SNMPTT to ensure SNMPTT has been configured securely.

Windows EventLog:

If you have enabled Windows Event Log support, then you must install an Event Message File to prevent "Event Message Not Found" messages from appearing in the Event Log. Microsoft Knowledge Base article KB166902 contains information on this error.

The Event Message File is aincluded with SNMPTT is a pre-compiled binary DLL. To compile the DLL yourself, see 'Compiling' below.

To install the DLL:

  1. Backup your system

  2. Make sure Event Viewer is not open

  3. Copy bin\snmptt-eventlog.dll to %windir%\system32

    copy bin\snmptt-eventlog.dll %windir%\system32\
    
  4. Launch the Registry Editor

  5. Go to 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application'

  6. Create a new subkey (under Application) called SNMPTT

  7. Inside of the SNMPTT key, create a new String Value called EventMessageFile. Give it a value of %windir%\system32\snmptt-eventlog.dll.

  8. Inside of the SNMPTT key, create a new DWORD Value called TypesSupported. Give it a value of 7.

To un-install the DLL:

  1. Backup your system

  2. Make sure Event Viewer is not open

  3. Launch the Registry Editor

  4. Go to 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application'

  5. Delete the key SNMPTT

  6. Delete the file %windir%\system32\snmptt-eventlog.dll

    del %windir%\system32\snmptt-eventlog.dll
    

Compiling snmptt-eventlog.dll (MS Visual C++ required)

  1. If your environment is not already set up for command line compilation, locate vcvars32.bat, start a command prompt, and execute it (vcvars32.bat).

  2. cd into the directory where snmptt-eventlog.mc is located (included with SNMPTT) and execute the following commands:

    mc snmptt-eventlog.mc
    
    rc /r snmptt-eventlog.rc
    
    link /nodefaultlib /INCREMENTAL:NO /release /nologo -base:0x60000000 -machine:i386 -dll -noentry -out:snmptt-eventlog.dll snmptt-eventlog.res
    
  3. Install the DLL as described above

Windows Service:

To configure SNMPTT as a service under Windows, follow these steps. More information can be obtained from the Windows Resource Kit.

  1. Install the Windows resource kit

  2. Copy the srvany.exe program to c:\windows\system32 from c:\Program Files\Resource Kit *

    copy srvany.exe c:\%windir%\system32\
    
  3. Install the SNMPTT service using:

    instsrv SNMPTT c:\windows\\system32\srvany.exe
    
  4. Configure the service:

    1. Launch REGEDIT

    2. Go to HKLM\SYSTEM\CurrentControlSet\SNMPTT

    3. Create a key called: Parameters

    4. Inside of Parameters, create a Sting Value (REG_SZ) called Application with the value of: c:\perl\bin\perl.exe

    5. Inside of Parameters, create a Sting Value (REG_SZ) called AppParameters with the value of: c:\snmp\snmptt --daemon

  5. Start the service from the control panel, or from a command prompt, type:

    net start snmptt
    
  6. Note: To remove the service, type:

    instsrv SNMPTT remove
    

Securing SNMPTT

As with most software, SNMPTT should be run without root or administrator privileges. Running with a non privileged account can help restrict what actions can occur when using features such as EXEC and REGEX.

For Linux and Unix, if you start SNMPTT as root, a user called 'snmptt' should be created and the snmptt.ini option daemon_uid should be set to the numerical user id (eg: 500) or textual user id (snmptt). Only define daemon_uid if starting snmptt using root.

If you start SNMPTT as a non-root user, then daemon_uid is not required (and will probably not work).

When using daemon_uid in daemon mode, there will be two SNMPTT processes. The first will run as root and will be responsible for creating the .pid file, and for cleaning up the .pid file on exit. The second process will run as the user defined by daemon_uid. If the system syslog (syslog_system_enable) is enabled, a message will be logged stating the user id has been changed. All processing from that point on will be as the new user id. This can be verified by looking the snmptt processes using ps.

For Windows, a local or domain user account called 'snmptt' should be created. If running as a Windows service, the service should be configured to use the snmptt user account. Otherwise the system should be logged in locally with the snmptt account before launching SNMPTT in daemon mode.

The script snmptthandler which is called from Net-SNMP's snmptrapd will be executed in the same security context as snmptrapd.

The SNMPTT user should be configured with the following permissions:

If snmptrapd is run as a non root / administrator, it should be configured with the following permissions:

Secure the spool folder with:

    chown -R snmptt.snmptt /var/spool/snmptt
    chmod -R 750 /var/spool/snmptt

Secure the /etc/snmp folder with

    chown -R root.root /etc/snmp
    chmod 755 /etc/snmp
    chown snmptt.snmptt /etc/snmp/snmptt*
    chmod 660 /etc/snmp/snmptt*

Note: Starting with v1.5, you can use /etc/snmptt/ instead of /etc/snmp/ for your snmptt.ini file:

Secure the /etc/snmptt folder with

    chown -R snmptt.snmptt /etc/snmptt
    chmod 750 /etc/snmptt

Grant access to the log folder:

    chown -R snmptt.snmptt /var/spool/snmptt
    chown -R snmptt.snmptt /var/log/snmptt
    chmod -R 750 /var/spool/snmptt

Note: It is recommended that only the user running snmptrapd and the snmptt user be given permission to the spool folder. This will prevent other users from placing files into the spool folder such as non-trap related files, or the !reload file which causes SNMPTT to reload.

Configuration Options - snmptt.ini

As mentioned throughout this document, configuration options are set by editing the snmptt.ini file.

For Linux / Unix, the following directories are searched to locate snmptt.ini:

/etc/snmptt/
/etc/snmp/
/etc/
/usr/local/etc/snmp/
/usr/local/etc/

Note: /etc/snmptt/ is new for v1.5.

For Windows, the file should be in %SystemRoot%\. For example, c:\windows.

If an alternative location is desired, the snmptt.ini file path can be set on the command line using the -ini= parameter. See Command Line Arguments.

A sample snmptt.ini is provided in this package. See the Installation section.

This file does not document all configuration options available in snmptt.ini. Please view the snmptt.ini for a complete description of all options.

Note: The default snmptt.ini enables logging to snmptt.log and also syslog for both trap messages and SNMPTT system messages. Change the following settings if required: log_enable, syslog_enable and syslog_system_enable.

Modes of Operation

SNMPTT can be run in two modes: daemon mode and standalone mode. Daemon mode is recommended.

Daemon mode

When SNMPTT is run in daemon mode, the snmptrapd.conf file would contain a traphandle statement such as:

traphandle default /usr/sbin/snmptthandler

or when using the embedded handler:

perl do "/usr/sbin/snmptthandler-embedded"

When a trap is received by SNMPTRAPD, the trap is passed to the SNMPTT handler script which performs the following tasks:

SNMPTT running in daemon mode performs the following tasks:

Using SNMPTTHANDLER and SNMPTT in daemon mode, a large number of traps per minute would be handled easily.

Running SNMPTT with the --daemon command line option or setting the mode variable in the snmptt.ini file to daemon will cause SNMPTT to run in daemon mode.

By setting the snmptt.ini variable use_trap_time to 1 (default), the date and time used for logging will be the date and time passed inside the trap spool file. If use_trap_time is set to 0, the date and time that the trap was processed by SNMPTT is used. Setting use_trap_time to 0 can result in inaccurate time stamps in log files due to the length of time SNMPTT sleeps between spool directory polling.

Note: When running on a non Windows platform, SNMPTT will fork to the background and create a pid file in /var/run/snmptt.pid if daemon_fork is set to 1. If the user is not able to create the /var/run/snmptt.pid file, it will attempt to create one in the current working directory.

Sending the HUP signal to SNMPTT when running as a daemon will cause it to reload the configuration file including the .ini file, snmptt.conf files listed in the .ini file and any NODES files if dynamic_nodes is disabled. A reload can also be forced by adding a file to the spool directory called !reload. The filename is not case sensitive. If this file is detected, it will flag a reload to occur and will delete the file. This would be the only way to cause a reload when using Windows as Windows does not support signals.

Statistical logging of total traps received, total traps translated and total unknown traps can be enabled by setting the statistics_interval snmptt.ini variable to a value greater than 0. At each interval (defined in seconds), the statistics will be logged to syslog or the event log.

Sending the USR1 signal will also cause the statistical information for total traps received, total traps translated and total unknown traps to be logged. This could be used for example if you want to log statistics at a set time each day using a task scheduler instead of using the interval time defined in the snmptt.ini variable statistics_interval. A statistics dump can also be forced by adding a file to the spool directory called !statistics which is processed similar to the !reload file.

Standalone mode

To use SNMPTT in standalone mode, the snmptrapd.conf file would contain a traphandle statement such as:

    traphandle default /usr/sbin/snmptt

When a trap is received by snmptrapd, the trap is passed to the /usr/sbin/snmptt script. SNMPTT performs the following tasks:

With a 450 Mhz PIII (way back in 1998) and a 9000 line snmptt.conf containing 566 unique traps (EVENTs), it took under a second to process the trap including logging and executing the qpage program. The larger the snmptt.conf file is, the longer it will take to process. If there are a large number of traps being received, daemon mode should be used. If it takes 1 second to process one trap, then obviously you shouldn't try to process more than one trap per second. Daemon mode should be used instead.

Running SNMPTT without the --daemon command line option will result standalone mode unless the mode variable in the snmptt.ini file is set to daemon. For standalone mode, the mode variable in the snmptt.ini file should be set standalone.

Note: Enabling the Net-SNMP Perl module will greatly increase the startup time of SNMPTT. Daemon mode is recommended.

Command line arguments

The following command line arguments are supported:

Usage:  
    snmptt [<options>]  
Options:  
    --daemon                Start in daemon mode  
    --debug=n               Set debug level (1 or 2)  
    --debugfile=filename    Set debug output file  
    --dump                  Dump (display) defined traps  
    --help                  Display this message  
    --ini=filename          Specify path to snmptt.ini file  
    --version               Display author and version information  
    --time                  Use to see how long it takes to load and  
                            process trap file (eg: time snmptt --time)

Logging

Logging - Standard

Translated traps can be sent to standard output and to a log file. The output format is:

date trap-oid severity category hostname - translated-trap

To configure standard output or regular logging, edit the snmptt.ini file and modify the following variables:

stdout_enable
log_enable
log_file
log_format

The output format can be changed from the above default by modifying the log_format setting. See snmptt.ini for details.

Logging - Unknown traps

Logging of unrecognized traps is possible. This would be used mainly for troubleshooting purposes.

To configure unknown trap logging, edit the snmptt.ini file and modify the following variables:

enable_unknown_trap_log
unknown_trap_log_file

Unknown traps can be logged to a SQL table as described in the Database section.

Logging - Syslog

Translated traps can be sent to syslog. The format of the entries will be similar to above without the date (as syslog adds the date):

trap-oid severity category hostname - translated-trap

Syslog entries normally start with: date hostname snmptt[pid]:

To configure syslog, edit the snmptt ini file and modify the following variables:

syslog_enable
syslog_facility
syslog_level
syslog_module
syslog_remote_dest *
syslog_remote_port *
syslog_remote_proto *
syslog_rfc_format *
syslog_app *
syslog_format

(*) Only applicable when using syslog_module = 1

When using the default syslog_module setting of 0, syslog messages are logged to the local system using Unix sockets following the RFC3164 standard.

To enable RFC5424 or remote syslog server support, set syslog_module to 1 and define the (*) settings. Be sure to enable UDP or TCP syslog reception in your syslog server. See snmptt.ini for details on each setting.

SNMPTT system errors and messages such as startup, shutdown, trap statistics etc can be sent to syslog by editing the snmptt.ini file and modifying the following variables:

syslog_system_enable
syslog_system_facility
syslog_system_level

Syslog system entries normally start with: date hostname snmptt-sys[pid]:

The following errors are logged:

SNMPTT (version) started (*)
Unable to enter spool dir x (*)
Unable to open spool dir x (*)
Unable to read spool dir x (*)
Could not open trap file x (*)
Unable to delete trap file x from spool dir (*)
Unable to delete !reload file spool dir (*)
Unable to delete !statistics file spool dir (*)
Reloading configuration file(s) (*)
SNMPTT (version) shutdown (*)
Loading snmpttconfigfile (*)
Could not open configuration file: snmpttconfigfile(*)
Finished loading x lines from snmpttconfigfile (*)
MySQL error: Unable to connect to database
SQL error: Unable to connect to DSN
Can not open log file logfile
MySQL error: Unable to perform PREPARE
MySQL error: Unable to perform INSERT INTO (EXECUTE)
DBI DBD::ODBC error: Unable to perform INSERT INTO
Win32::ODBC error: Unable to perform INSERT INTO
PostgreSQL error: Unable to connect to database
PostgreSQL error: Unable to perform PREPARE
PostgreSQL error: Unable to perform INSERT INTO (EXECUTE)

* (daemon mode only)

Logging - Windows EventLog

When running under Windows, translated traps can be sent to the EventLog. All traps are logged under EventID 2 under the source SNMPTT. The format of the entries will be similar to above without the date (as the Event Log logs the date):

trap-oid severity category hostname translated-trap

To configure eventlog support, edit the snmptt ini file and modify the following variables:

eventlog_enable
eventlog_type

SNMPTT system errors can be sent to the Event Log by editing the snmptt.ini file and modifying the following variables:

eventlog_system_enable

The following errors are logged. Note that each error contains a unique EventID:

EventID 0: SNMPTT (version) started (*)
EventID 3: Unable to enter spool dir x (*)
EventID 4: Unable to open spool dir x (*)
EventID 5: Unable to read spool dir x (*)
EventID 6: Could not open trap file x (*)
EventID 7: Unable to delete trap file x from spool dir (*)
EventID 20: Unable to delete !reload file spool dir (*)
EventID 21: Unable to delete !statistics file spool dir (*)
EventID 8: Reloading configuration file(s) (*)
EventID 1: SNMPTT (version) shutdown (*)
EventID 9: Loading snmpttconfigfile (*)
EventID 10: Could not open configuration file: snmpttconfigfile(*)
EventID 11: Finished loading x lines from snmpttconfigfile(*) EventID 12: MySQL error: Unable to connect to database
EventID 13: SQL error: Unable to connect to DSN dsn
EventID 14: Can not open log file logfile
EventID 23: MySQL error: Unable to perform PREPARE
EventID 15: MySQL error: Unable to perform INSERT INTO (EXECUTE)
EventID 16: DBI DBD::ODBC error: Unable to perform INSERT INTO
EventID 17: Win32::ODBC error: Unable to perform INSERT INTO
EventID 18: PostgreSQL error: Unable to connect to database
EventID 22: PostgreSQL error: Unable to perform PREPARE
EventID 19: PostgreSQL error: Unable to perform INSERT INTO (EXECUTE)

* (daemon mode only)

Note:

To prevent "Event Message Not Found" messages in the Event Viewer, an Event Message File must be used. For information on installing the message file, see the Installation section for Windows.

Logging - Database

Translated and unrecognized traps can be sent to a database. MySQL (tested under Linux), PostgreSQL (tested under Linux) and ODBC (tested under Windows) can be used.

After configuring database logging below, you can also enable unknown trap logging by editing the snmptt.ini file and modifying the following variables:

enable_unknown_trap_log
db_unknown_trap_format

DBD::MySQL

To configure SNMPTT for MySQL, modify the following variables in the snmptt.ini file.

mysql_dbi_enable
mysql_dbi_host
mysql_dbi_port
mysql_dbi_database
mysql_dbi_table
mysql_dbi_table_unknown
mysql_dbi_username
mysql_dbi_password

Note: Sample values are defined in the default ini file. Defining mysql_dbi_table_unknown is optional.

The following MySQL script will create the database and table. Permissions etc should also be defined. Run 'mysql' as root and enter:

CREATE DATABASE snmptt;   
USE snmptt;

DROP TABLE snmptt;   
CREATE TABLE snmptt (   
id INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,   
eventname VARCHAR(50),   
eventid VARCHAR(50),   
trapoid VARCHAR(100),  
enterprise VARCHAR(100),   
community VARCHAR(20),   
hostname VARCHAR(100),   
agentip  VARCHAR(16),   
category VARCHAR(20),   
severity VARCHAR(20),   
uptime  VARCHAR(20),   
traptime VARCHAR(30),   
formatline VARCHAR(255));

Note: To store the traptime as a real date/time (DATETIME data type), change 'traptime VARCHAR(30),' to 'traptime DATETIME,' and set date_time_format_sql in snmptt.ini to %Y-%m-%d %H:%M:%S.

Note: If you do not want the auto-incrementing id column, remove the 'id INT...' line.

If logging of unknown traps to a SQL table is required, create the snmptt_unknown table using:

USE snmptt;

DROP TABLE snmptt_unknown;   
CREATE TABLE snmptt_unknown (   
trapoid VARCHAR(100),  
enterprise VARCHAR(100),   
community VARCHAR(20),   
hostname VARCHAR(100),   
agentip  VARCHAR(16),   
uptime  VARCHAR(20),   
traptime VARCHAR(30),   
formatline VARCHAR(255));

Note: To store the traptime as a real date/time (DATETIME data type), change 'traptime VARCHAR(30),' to 'traptime DATETIME,' and set date_time_format_sql in snmptt.ini to %Y-%m-%d %H:%M:%S.

If logging of statistics to a SQL table is required, create the snmptt_statistics table using:

USE snmptt;

DROP TABLE snmptt_statistics;  
CREATE TABLE snmptt_statistics (  
stat_time VARCHAR(30),  
total_received BIGINT,  
total_translated BIGINT,  
total_ignored BIGINT,  
total_skipped BIGINT,  
total_unknown BIGINT);

Note: Only include total_skipped if unknown_trap_nodes_match_mode is set to 1.

Note: To store the stat_time as a real date/time (DATETIME data type), change 'stat_time VARCHAR(30),' to 'stat_time DATETIME,' and set stat_time_format_sql in snmptt.ini to %Y-%m-%d %H:%M:%S.

Note: The variable lengths I have chosen above should be sufficient, but they may need to be increased depending on your environment.

To add a user account called 'snmptt' with a password of 'mytrap' for use by SNMPTT, use the following SQL statement:

GRANT ALL PRIVILEGES ON \*.\* TO 'snmptt'@'localhost' IDENTIFIED BY 'mytrap';

DBD::PgPP (PostgreSQL)

To configure SNMPTT for PostgreSQL, modify the following variables in the snmptt.ini file.

postgresql_dbi_enable
postgresql_dbi_module
postgresql_dbi_hostport_enable
postgresql_dbi_host
postgresql_dbi_port
postgresql_dbi_database
postgresql_dbi_table
postgresql_dbi_table_unknown
postgresql_dbi_username
postgresql_dbi_password

Note: Sample values are defined in the default ini file. Defining postgresql_dbi_table_unknown is optional.

The following shell / PostgreSQL commands will drop the existing database if it exists and then delete the existing snmptt user. It will then create a new snmptt database, a new snmptt user (prompting for a password) and then create the table. Run these commands as root.

su - postgres
dropdb snmptt  
dropuser snmptt

createuser -P snmptt  
createdb -O snmptt snmptt  
psql snmptt

DROP TABLE snmptt;  
CREATE TABLE snmptt (  
eventname VARCHAR(50),  
eventid VARCHAR(50),  
trapoid VARCHAR(100),  
enterprise VARCHAR(100),  
community VARCHAR(20),  
hostname VARCHAR(100),  
agentip  VARCHAR(16),  
category VARCHAR(20),  
severity VARCHAR(20),  
uptime  VARCHAR(20),  
traptime VARCHAR(30),  
formatline VARCHAR(255));

GRANT ALL ON snmptt TO snmptt;  
\q

Note: To store the traptime as a real date/time (timestamp data type), change 'traptime VARCHAR(30),' to 'traptime timestamp,' and set date_time_format_sql in snmptt.ini to %Y-%m-%d %H:%M:%S.

If logging of unknown traps to a SQL table is required, create the snmptt_unknown table using:

su - postgres  
psql snmptt

DROP TABLE snmptt_unknown;
CREATE TABLE snmptt_unknown (
trapoid VARCHAR(100),  
enterprise VARCHAR(100),  
community VARCHAR(20),  
hostname VARCHAR(100),  
agentip  VARCHAR(16),  
uptime  VARCHAR(20),  
traptime VARCHAR(30),  
formatline VARCHAR(255));

GRANT ALL ON snmptt_unknown TO snmptt;  
\q

Note: To store the traptime as a real date/time (timestamp data type), change 'traptime VARCHAR(30),' to 'traptime timestamp,' and set date_time_format_sql in snmptt.ini to %Y-%m-%d %H:%M:%S.

If logging of statistics to a SQL table is required, create the snmptt_statistics table using:

su - postgres  
psql snmptt


DROP TABLE snmptt_statistics;  
CREATE TABLE snmptt_statistics (  
stat_time VARCHAR(30),  
total_received BIGINT,  
total_translated BIGINT,  
total_ignored BIGINT,  
total_skipped BIGINT,  
total_unknown BIGINT);

GRANT ALL ON snmptt_statistics TO snmptt;  
\q

Note: Only include total_skipped if unknown_trap_nodes_match_mode is set to 1.

Note: To store the stat_time as a real date/time (timestamp data type), change 'stat_time VARCHAR(30),' to 'stat_time timestamp,' and set stat_time_format_sql in snmptt.ini to %Y-%m-%d %H:%M:%S.

The variable lengths I have chosen above should be sufficient, but they may need to be increased depending on your environment.

DBD::ODBC

SNMPTT can access ODBC data sources using either the DBD::ODBC module on Linux and Windows, or the WIN32::ODBC module on Windows.

To configure SNMPTT for ODBC access using the module DBD::ODBC, modify the following variables in the snmptt script.

dbd_odbc_enable = 1;
dbd_odbc_dsn = 'snmptt';
dbd_odbc_table = 'snmptt';
dbd_odbc_table_unknown = 'snmptt';
dbd_odbc_username = 'snmptt';
dbd_odbc_password = 'password';

Note:

SNMPTT does not create the DSN connection. You must define the DSN outside of SNMPTT. See 'Data Sources (ODBC)' in Windows help for information on creating a DSN connection.

Defining dbd_odbc_table_unknown is optional.

Sample values are defined in the default ini file.

The following MS SQL Server / Access script can create the table inside an existing database. Permissions etc should also be defined.

CREATE TABLE snmptt (
eventname character(50) NULL,
eventid  character(50) NULL,
trapoid character(100) NULL,
enterprise character(100) NULL,
community character(20) NULL,
hostname character(100) NULL,
agentip  character(16) NULL,
category character(20) NULL,
severity character(20) NULL,
uptime  character(20) NULL,
traptime character(30) NULL,
formatline character(255) NULL);

Note: To store the traptime as a real date/time, change 'traptime character(30),' to the date/time data type supported by the database and and set date_time_format_sql in snmptt.ini to a compatible format. For example: %Y-%m-%d %H:%M:%S.

If logging of unknown traps to a SQL table is required, create the snmptt_unknown table using:

CREATE TABLE snmptt_unknown (
trapoid character(100) NULL,
enterprise character(100) NULL,
community character(20) NULL,
hostname character(100) NULL,
agentip  character(16) NULL,
uptime  character(20) NULL,
traptime character(30) NULL,
formatline character(255) NULL);

Note: To store the traptime as a real date/time, change 'traptime character(30),' to the date/time data type supported by the database and and set date_time_format_sql in snmptt.ini to a compatible format. For example: %Y-%m-%d %H:%M:%S.

If logging of statistics to a SQL table is required, create the snmptt_statistics table using:

CREATE TABLE snmptt_statistics (  
stat_time character(30) NULL,  
total_received BIGINT NULL,  
total_translated BIGINT NULL,  
total_ignored BIGINT NULL,  
total_skipped BIGINT NULL,  
total_unknown BIGINT NULL);

Note: Only include total_skipped if unknown_trap_nodes_match_mode is set to 1.

Note: To store the stat_time as a real date/time, change 'stat_time character(30),' to the date/time data type supported by the database and and set stat_time_format_sql in snmptt.ini to a compatible format. For example: %Y-%m-%d %H:%M:%S.

All variables are inserted into the database using 'INSERT INTO' as text including the date and time. The variable lengths I have chosen above should be sufficient, but they may need to be increased depending on your environment.

Win32::ODBC

SNMPTT can access ODBC data sources using either the DBD::ODBC module on Linux and Windows, or the WIN32::ODBC module on Windows.

To configure SNMPTT for MS SQL via ODBC on Windows, modify the following variables in the snmptt script.

sql_win32_odbc_enable = 1;  
sql_win32_odbc_dsn = 'snmptt';  
sql_win32_odbc_table = 'snmptt';  
sql_win32_odbc_username = 'snmptt';  
sql_win32_odbc_password = 'password';

Note:

SNMPTT does not create the DSN connection. You must define the DSN outside of SNMPTT. See 'Data Sources (ODBC)' in Windows help for information on creating a DSN connection.

Defining sql_win32_odbc_table_unknown is optional.

Sample values are defined in the default ini file.

The following MS SQL Server script can create the table inside an existing database. Permissions etc should also be defined.

CREATE TABLE snmptt (
eventname character(50) NULL,
eventid  character(50) NULL,
trapoid character(50) NULL,
enterprise character(50) NULL,
community character(20) NULL,
hostname character(100) NULL,
agentip  character(16) NULL,
category character(20) NULL,
severity character(20) NULL,
uptime  character(20) NULL,
traptime character(30) NULL,
formatline character(255) NULL);

Note: To store the traptime as a real date/time, change 'traptime character(30),' to the date/time data type supported by the database and and set date_time_format_sql in snmptt.ini to a compatible format. For example: %Y-%m-%d %H:%M:%S.

If logging of unknown traps to a SQL table is required, create the snmptt_unknown table using:

CREATE TABLE snmptt_unknown (
trapoid character(50) NULL,
enterprise character(50) NULL,
community character(20) NULL,
hostname character(100) NULL,
agentip  character(16) NULL,
uptime  character(20) NULL,
traptime character(30) NULL,
formatline character(255) NULL);

Note: To store the traptime as a real date/time, change 'traptime character(30),' to the date/time data type supported by the database and and set date_time_format_sql in snmptt.ini to a compatible format. For example: %Y-%m-%d %H:%M:%S.

If logging of statistics to a SQL table is required, create the snmptt_statistics table using:

CREATE TABLE snmptt_statistics (  
stat_time character(30) NULL,  
total_received BIGINT NULL,  
total_translated BIGINT NULL,  
total_ignored BIGINT NULL,  
total_skipped BIGINT NULL,  
total_unknown BIGINT NULL);

Note: Only include total_skipped if unknown_trap_nodes_match_mode is set to 1.

Note: To store the stat_time as a real date/time, change 'stat_time character(30),' to the date/time data type supported by the database and and set stat_time_format_sql in snmptt.ini to a compatible format. For example: %Y-%m-%d %H:%M:%S.

All variables are inserted into the database using 'INSERT INTO' as text including the date and time. The variable lengths I have chosen above should be sufficient, but they may need to be increased depending on your environment.

Executing an external program

An external program can be launched when a trap is received. The command line is defined in the snmptt.conf configuration file. For example, to send a page using QPAGE (http://www.qpage.org), the following command line could be used:

qpage -f TRAP notifygroup1 "$r $x $X Compaq Drive Array Spare Drive on controller $4, bus $5, bay $6 status is $3."

$r is translated to the hostname, $x is the current date, and $X is the current time (described in detail below).

To enable or disable the execution of EXEC definitions, edit the snmptt.ini file and modify the following variable:

exec_enable

It is also possible to launch an external program when an unknown trap is received. This can be enabled by defining unknown_trap_exec in snmptt.ini. Passed to the command will be all standard and enterprise variables, similar to unknown_trap_log_file but without the newlines.

SNMPTT.CONF Configuration file format

The configuration file (usually /etc/snmp/snmptt.conf or c:\snmp\snmptt.conf) contains a list of all the defined traps.

If your snmptt.conf file is getting rather large and you would like to divide it up into many smaller files, then do the following:

For example:

snmptt_conf_files = <<END  
/etc/snmp/snmptt.conf.generic  
/etc/snmp/snmptt.conf.compaq  
/etc/snmp/snmptt.conf.cisco  
/etc/snmp/snmptt.conf.hp  
/etc/snmp/snmptt.conf.3com  
END

The syntax of the snmptt.conf file is:

EVENT event_name event_OID "category" severity

FORMAT format_string

[EXEC command_string]

[PREEXEC command_string]

[NODES sources_list]

[MATCH [MODE=[or | and]] | [$n:[!][( ) | n | n-n | > n | < n | x.x.x.x | x.x.x.x-x.x.x.x | x.x.x.x/x]]

[REGEX ( )( )[i][g][e]]

[SDESC]
[EDESC]

Note: Lines starting with a # are treated as comments and will be ignored.

Note: The EVENT and FORMAT line are REQUIRED. Commands in [] are optional. Do NOT include the []s in the configuration file!

EVENT

EVENT event_name event_OID "category" severity

event_name:

Unique text label (alias) containing no spaces. This would match the name on the TRAP-TYPE or NOTIFICATION-TYPE line in the MIB file when converted using snmpttconvertmib.

event_OID:

Object identifier string in dotted format or symbolic notation containing no spaces.

For example, a Compaq (enterprise .1.3.6.1.4.1.232) cpqHoGenericTrap trap (trap 11001) would be written as:

.1.3.6.1.4.1.232.0.11001

Symbolic names can also be used if the Net-SNMP Perl module is installed and enabled by setting net_snmp_perl_enable in the snmptt.ini file. For example:

linkDown

IF-MIB::linkDown

Notes:

Wildcards in dotted format notation can also be used. For example:

.1.3.6.1.4.1.232.1.2.*

Notes:

 EVENT unknown .* "Status Events" Normal

category:

Note: If you plan on using an external program such as Nagios, you probably do not want any traps defined with LOGONLY as the EXEC line would never be used to submit the passive service check.

severity:

FORMAT

FORMAT format_string

There can be only one FORMAT line per EVENT.

The format string is used to generate the text that will be logged to any of the supported logging methods.

Variable substitution is performed on this string using the following variables:

$A - Trap agent host name (see Note 1)
$aA - Trap agent IP address
$Be - securityEngineID (snmpEngineID) (see Note 7)
$Bu - securityName (snmpCommunitySecurityName) (see Note 7)
$BE - contextEngineID (snmpCommunityContextEngineID) (see Note 7)
$Bn - contextName (snmpCommunityContextName) (see Note 7)
$c - Category
$C - Trap community string
$D - Description text from SNMPTT.CONF or MIB file (see Note 6)
$E - Enterprise trap OID in symbolic format
$e - Enterprise trap OID in number format (.1.3.6.1.4.1.n)
$j - Enterprise number (n)
$Fa - alarm (bell) (BEL)
$Ff - form feed (FF)
$Fn - newline (LF, NL)
$Fr - return (CR)
$Ft - tab (HT, TAB)
$Fz - Translated FORMAT line (EXEC, log_format and syslog_format only)
$G - Generic trap number (0 if enterprise trap)
$S - Specific trap number (0 if generic trap)
$H - Host name of the system running SNMPTT
$N - Event name defined in .conf file of matched entry
$i - Event OID defined in .conf file of matched entry (could be a wildcard OID)
$O - Trap OID in symbolic format (see Note 4)
$o - Trap OID in numerical format (see Note 4)
$pn - PREEXEC result n (1-n)
$pun - Unknown trap PREEXEC result n (1-n). See unknown_trap_preexec setting in snmptt.ini.
$R, $r - Trap hostname (see Note 1)
$aR, $ar - IP address
$s - Severity
$T - Uptime: Time since network entity was initialized
$X - Time trap was spooled (daemon mode) or current time (standalone mode)
$x - Date trap was spooled (daemon mode) or current date (standalone mode)
$# - Number of (how many) variable-bindings in the trap
$$ - Print a $
$@ - Number of seconds since the epoch of when the trap was spooled (daemon mode) or the current time (standalone mode)
$n - Expand variable-binding n (1-n) (see Note 2,5)
$+n - Expand variable-binding n (1-n) in the format of variable name:value (see Note 2,3,5)
$-n - Expand variable-binding n (1-n) in the format of variable name (variable type):value (see Note 2,3,5)
$vn - Expand variable name of the variable-binding n (1-n)(see Note 3)
$* - Expand all variable-bindings (see Note 5)
$+* - Expand all variable-bindings in the format of variable name:value (see Note 2,3,5)
$-* - Expand all variable-bindings in the format of variable name (variable type):value (see Note 2,3,5)

Example:

FORMAT NIC switchover to slot $3, port $4 from slot $5, port $6

Notes:

For the text log file, the output will be formatted as:

date time trap-OID severity category hostname - format

For all other log files except MySQL, DBD::ODBC and Win32::ODBC, the output will be formatted as:

trap-OID severity category hostname - format

For MySQL, DBD::ODBC and Win32::ODBC, the formatline column will contain only the format text.

Note (1):

See the section 'Name Resolution / DNS' for important DNS information.

Note (2):

If translate_integers is enabled in the snmptt.ini file, SNMPTT will attempt to convert integer values received in traps into text by performing a lookup in the MIB file.
You must have the Net-SNMP Perl module installed for this to work and you must enable support for it by enabling net_snmp_perl_enable in the snmptt.ini file.

For this feature to work, you must ensure Net-SNMP is configured correctly with all the required MIBS. If the option is enabled, but the value can not be found, the integer value will be used. If the MIB files are present, but translations do not occur, ensure Net-SNMP is correctly configured to process all the required mibs. This is configured in the Net-SNMP /etc/snmp/snmp.conf file. Alternatively, you can try setting the mibs_enviroment variable in snmptt.ini to ALL (no quotes) to force all MIBS to be initialized at SNMPTT startup.

If translate_integers is enabled while using stand-alone mode, it may take longer to process each trap due to the initialization of the MIB files.

Note (3):

$vn, $+n and $-n variable names and variable type are translated into the text name by performing a lookup in the MIB file. You must have the Net-SNMP Perl module installed for this to work and you must enable support for it by enabling net_snmp_perl_enable in the snmptt.ini file. If net_snmp_perl_enable is not enabled, the $vn variable will be replaced with the text 'variablen' where n is the variable number (1+).

For the name translation to work, you must ensure Net-SNMP is configured correctly with all the required MIBS. If the option is enabled and the correct name is not returned, ensure Net-SNMP is correctly configured to process all the required mibs. This is configured in the Net-SNMP snmp.conf file. Alternatively, you can try setting the mibs_enviroment variable in snmptt.ini to ALL (no quotes) to force all MIBS to be initialized at SNMPTT startup.

Note (4):

If translate_trap_oid is enabled in the snmptt.ini file, SNMPTT will attempt to convert the numeric OID of the received trap into symbolic form such as IF-MIB::linkDown. You must have the Net-SNMP Perl module installed for this to work and you must enable support for it by enabling net_snmp_perl_enable in the snmptt.ini file. If net_snmp_perl_enable is not enabled, it will default to using the numeric OID.

Net-SNMP 5.0.9 and earlier does not support including the module name (eg: IF-MIB::) when translating an OID and most of the 5.0.x versions do not properly tranlsate numeric OIDs to long symbolic names. A patch is available for 5.0.8+ that is included in Net-SNMP 5.1.1 and higher. The patch is available from the Net-SNMP patch page.

Note (5):

If translate_oids is enabled in the snmptt.ini file, SNMPTT will attempt to convert any numeric OIDs found inside the variables passed inside the trap to symbolic form. You must have the Net-SNMP Perl module installed for this to work and you must enable support for it by enabling net_snmp_perl_enable in the snmptt.ini file. If net_snmp_perl_enable is not enabled, it will default to using the numeric OID.

Net-SNMP 5.0.9 and earlier does not support including the module name (eg: IF-MIB::) when translating an OID and most of the 5.0.x versions do not properly tranlsate numeric OIDs to long symbolic names. A patch is available for 5.0.8+ that is inlcuded in Net-SNMP 5.1.1 and higher. The patch is available from the Net-SNMP patch page.

Note (6):

The snmptt.ini description_mode option must be set to either 1 or 2. If set to 1, the description is pulled from the SNMPTT.CONF files. If set to 2, the description is pulled from the MIB file. If using the MIB file, you must have the Net-SNMP Perl module installed and enabled.

Note (7):

These variables are only available when using the embedded trap handler for snmptrapd (snmptthandler-embedded).

EXEC

[EXEC command_string]

There can be multiple EXEC lines per EVENT.

Optional string containing a command to execute when a trap is received. The EXEC lines are executed in the order that they appear.

EXEC uses the same variable substitution as the FORMAT line. You can use $Fz on the EXEC line to add the translated FORMAT line instead of repeating what you already defined on FORMAT.

Examples:

EXEC /usr/bin/qpage -f TRAP alex "$r: $x $X - NIC switchover to slot $3, port $4 from slot $5, port $6"

FORMAT NIC switchover to slot $3, port $4 from slot $5, port $6
EXEC /usr/bin/qpage -f TRAP alex "$r: $x $X - $Fz"

EXEC c:\\snmp\\pager netops "$r: $x $X - NIC switchover to slot $3, port $4 from slot $5, port $6"

Note: Unlike the FORMAT line, nothing is prepended to the message. If you would like to include the hostname and date in the page above, you must use the variables such as $r, $x and $X.

Note: If the trap severity is set to LOGONLY in the snmptt.conf file, EXEC will not be executed.

PREEXEC

[PREEXEC command_string]

There can be multiple PREEXEC lines per EVENT.

Optional string containing a command to execute after a trap is received but before the FORMAT and EXEC statements are processed. The output of the external program is stored in the $pn variable where n is a number starting from 1. Multiple PREEXEC lines are permitted. The first PREEXEC stores the result of the command in $p1, the second in $p2 etc. Any ending newlines are removed. The snmptt.ini parameter pre_exec_enable can be used to enable / disable PREEXEC statements.

PREEXEC uses the same variable substitution as the FORMAT line.

Example:

EVENT linkDown .1.3.6.1.6.3.1.1.5.3 "Status Events" Normal  
FORMAT Link down on interface $1($p1). Admin state: $2. Operational state: $3  
PREEXEC /usr/local/bin/snmpget -v 1 -Ovq -c public $aA ifDescr.$1

Sample output:

Link down on interface 69("100BaseTX Port 1/6 Name SERVER1"). Admin state up. Operational state: down

In the above example the result is in quotes because that is what comes back from snmpget (it is not added by SNMPTT).

Note: PREEXEC will execute even if the trap severity is set to LOGONLY in the snmptt.conf file.

NODES

[NODES sources_list]

Used to limit which devices can be mapped to this EVENT definition.

There can be multiple NODES lines per EVENT.

Optional string containing any combination of host names, IP addresses, CIDR network address, network IP address ranges, or a filename. If this keyword is omitted then ALL sources will be accepted. Each entry is checked for a match. As soon as one match occurs, searching stops.

For example, if you only wanted devices on the subnet 192.168.1.0/24 to trigger this EVENT, you could use a NODES entry of:

NODES 192.168.1.0/24

Or, if you wanted devices on IPv4 subnet 192.168.1.0/24 and IPv6 subnet 2001:db8:a::/64:

 NODES 192.168.1.0/24 2001:db8:a::/64

If a filename is specified, it must be specified with a full path.

There are two modes of operation: POS (positive - the default) and NEG (negative). If set to POS, then NODES is a 'match' if any of the NODES entries match. If set to NEG, then NODES is a 'match' only if none of the NODES entries match. To change the mode of operation, use one of the following statements:

NODES MODE=POS
NODES MODE=NEG

A common use for this feature is when you have devices that implement a trap in a non-standard way (added additional variables for example) such as the linkDown and linkUp traps. By defining two EVENT statements and using NODES statements with NODES MODE, you can have one EVENT statement handle the standard devices, and the other handle the other devices with the extended linkDown / linkUp traps.

Example 1:

This example will match any hosts called fred, barney, betty or wilma:

NODES fred barney betty wilma

Example 2:

This example will match any hosts not called fred, barney, betty or wilma:

NODES fred barney betty wilma
NODES MODE=NEG

Example 3:

This example will load the file /etc/snmptt-nodes (see below), and match any hosts called fred, barney, betty, wilma, network ip addresses 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.2.1, network range 192.168.50.0/22 or network range 192.168.60.0-192.168.61.255:

NODES /etc/snmptt-nodes

Example 4:

This example will load both files /etc/snmptt-nodes and /etc/snmptt-nodes2 (see above example):

NODES /etc/snmptt-nodes /etc/snmptt-nodes2

Example 5:

NODES 192.168.4.0/22 192.168.60.0-192.168.61.255 /etc/snmptt-nodes2

Example 6:

NODES fred /etc/snmptt-nodes pebbles /etc/snmptt-nodes2 barney

where snmptt-nodes contains:

fred  
barney betty  
# comment lines  
192.168.1.1 192.168.1.2 192.168.1.3  
192.168.2.1  
192.168.50.0/22  
192.168.60.0-192.168.61.255  
wilma

Notes:

MATCH

[MATCH [MODE=[or | and]] | [$n:[!][( )[i] | n | n-n | > n | < n | x.x.x.x | x.x.x.x-x.x.x.x | x.x.x.x/x]]

Optional match expression that must be evaluated to true for the trap to be considered a match to this EVENT definition.

If a MATCH statement exists, and no matches evaluate to true, then the default will be to NOT match this EVENT definition.

The following Perl regular expression modifiers are supported:

i - ignore case when trying to match

The following command formats are available:

MATCH MODE=[or | and]
MATCH $x: [!] (reg) [i]
MATCH $x: [!] n
MATCH $x: [!] n-n
MATCH $x: [!] < n
MATCH $x: [!] > n
MATCH $x: [!] & n
MATCH $x: [!] x.x.x.x
MATCH $x: [!] x.x.x.x-x.x.x.x
MATCH $x: [!] x.x.x.x/x
MATCH $x: [!] x:x:x
MATCH $x: [!] x:x:x/x

where:

or or and set the default evaluation mode for ALL matches
$x is any variable (example: $3, $A, $* etc)
reg is a regular expression
! is used to negate the result (not)
& is used to perform a bitwise AND
n is a number
x.x.x.x is an IP address
x.x.x.x-x.x.x.x is an IPv4 network address range
x.x.x.x/x is an IPv4 CIDR network addresss
x:x:x is an IPv6 addresss
x:x:x/x is an IPv6 CIDR network addresss

Notes:

Examples:

$2 must be between 1000 and 2000:

MATCH $2: 1000-2000

Any one of the following must match (or): $3 must be 52, or $4 must be an IP address between 192.168.1.10 and 192.168.1.20, or the severity must be 'Major':

MATCH $3: 52
MATCH $4: 192.168.1.10-192.168.1.20
MATCH $s: (Major)

$6 must be IPv6 address 2002:0000:0000:1234:abcd:ffff:c0a8:0101 or in subnet 2002:0000:0000:1234:0000:0000:0000:0000/64:

MATCH $6: 2002::1234:abcd:ffff:c0a8:0101
MATCH $6: 2002:0000:0000:1234:0000:0000:0000:0000/64

All must match (and): $3 must be greater than 20, and $5 must not contain the words alarm or critical, $6 must contain the string '(1) remaining' and $7 must contain the string 'power' which is not case sensitive:

MATCH $3: >20  
MATCH $5: !(alarm|critical)  
MATCH $6: (\(1\) remaining)  
MATCH $7: (power)i  
MATCH MODE=and

The integer $1 must have bit 4 set:

MATCH $1: &8

REGEX

[REGEX( )( )[i][g][e]]

Optional regular expression to perform a search and replace on the translated FORMAT / EXEC line. Multiple REGEX ( )( ) lines are permitted.

First ( ) contains the search expression.
Second ( ) contains the replacement text

The following Perl regular expression modifiers are supported:

i - ignore case when trying to match left side
g - replace all occurances instead of only the first
e - execute the right side (eval) as code

To use substitution with captures (memory parenthesis) or the e modifier, you must first enable support in the snmptt.ini file by setting allow_unsafe_regex to 1. Note: This is considered unsafe because the contents of the right expression is executed (eval) by Perl which could contain unsafe code. If this option is enabled, BE SURE THAT THE SNMPTT CONFIGURATION FILES ARE SECURE!

Each REGEX line is processed in order from top to bottom and are accumulative. The second REGEX operates on the results of the first REGEX etc.

Example:

FORMAT line before: UPS has detected a building alarm. Cause: UPS1 Alarm #14: Building alarm 3.

REGEX (Building alarm 3)(Computer room high temperature)  
REGEX (Building alarm 4)(Moisture detection alarm)  
REGEX (roOm)(ROOM)ig  
REGEX (UPS)(The big UPS)  
REGEX (\s+)( )g

FORMAT line after: The big UPS has detected a building alarm. Cause: UPS1 Alarm #14: Computer ROOM high temperature

To use parentheses ( or ) in the search expression, they must be backslashed (\) otherwise it is interpreted as a capture (see below). The replacement text does not need to be backslashed.

Example:

FORMAT line before: Alarm (1) and (2) has been triggered

REGEX (\(1\))(One)  
REGEX (\(2\))((Two))

FORMAT line after: Alarm One and (Two) has been triggered

If allow_unsafe_regex is enabled, then captures can be used in the replacement text.

Example:

FORMAT line before: The system has logged exception error 55 for the service testservice

REGEX (The system has logged exception error (\d+) for the service (\w+))(Service $2 generated error $1)

FORMAT line after: Service testservice generated error 55

If allow_unsafe_regex is enabled and an e modifier is specified, then the right side is executed (evaluated). This allows you to use Perl functions to perform various tasks such as convert from hex to decimal, format text using sprintf etc. All text must be inside of quotes, and statements can be concatenated together using the dot (.).

Example 1:

FORMAT line before: Authentication Failure Trap from IP address: C0 A8 1 FE

REGEX (Address: (\w+)\s+(\w+)\s+(\w+)\s+(\w+))("address: ".hex($1).".".hex($2).".".hex($3).".".hex($4))ei

FORMAT line after: Authentication Failure Trap from IP address: 192.168.1.254

Example 2:

FORMAT line before: Authentication Failure Trap from IP address: C0 A8 1 FE

REGEX (Address: (\w+)\s+(\w+)\s+(\w+)\s+(\w+))("address:".sprintf("%03d.%03d.%03d.%03d",hex($1),hex($2),hex($3),hex($4)))ie

FORMAT line after: Authentication Failure Trap from IP address: 192.168.001.254

Example 3

This example is for a BGP bgpBackwardTranstion trap. The OID for the bgpBackwardTranstion trap has the IP address of the device that transitioned appended to the end of the OID. To create a meaningful trap message, the IP address needs to be separated from the variable OID. Because the IP address is part of the OID variable name instead of the OID value, a REGEX expression is needed. The following uses the $+1 variable on the FORMAT line so REGEX can parse out the IP address.

FORMAT line before: Peer:$+2

FORMAT line after substitution, but before REGEX: Peer:bgpPeerState.192.168.1.1:idle

REGEX (Peer:.\*\.(\d+\.\d+\.\d+\.\d+):(.\*))("Peer: $1 has transitioned to $2")e

FORMAT line after: Peer: 192.168.1.1 has transitioned to idle

Example 4

This example is a sample of using Perl subroutines inside of a REGEX statement.

FORMAT line before: Extremely severe error has occured

REGEX (Extremely severe error has occured)(("Better get a lotto ticket!!  Here is a lotto number to try:".sprintf ("%s", lottonumber());sub lottonumber { for(my $i=0;$i<6;$i++) { $temp = $temp . " " . (int(rand 49) +1); } return $temp; } )ie

FORMAT line after: Better get a lotto ticket!! Here is a lotto number to try: 36 27 38 32 29 6

Note: The REGEX expression is executed on the final translated FORMAT / EXEC line, after all variable substitutions have been completed.

SDESC

[SDESC]

Optional start of a description. All text between this line and the line EDESC will be ignored by SNMPTT. This section can be used to enter comments about the trap for your own use. If you use a SDESC, you MUST follow with a EDESC.

EDESC

[EDESC]

Used to end the description section.

Example:

SDESC  
Trap used when power supply fails in  
a server.  
EDESC

SNMPTT.CONF Configuration file Notes

When there are multiple definitions of the same trap in the configuration file, the following rules apply:

A match occurs when:

If multiple_event is set to 1 in snmptt.ini:

If multiple_event is set to 0 in snmptt.ini:

Name resolution / DNS

Snmptrapd passes the IP address of the device sending the trap (host name), the host name of the device sending the trap (host name, if configured to resolve host names) and the IP address of the actual SNMP agent (agent).

If the configuration setting dns_enable is set to 0 (dns disabled), then the host name of the AGENT will not be available for the $A variable, NODES matches, and the hostname column in SQL databases. The only exception to this is if the (host) IP address matches the (agent) IP address and snmptrapd is configured to resolve host names. In that case, the host name of the (host) will be used for the (agent) host name as they are obviously the same host.

If the configuration setting dns_enable is set to 1 (dns enabled), then the host name of both the host and the AGENT will be resolved via DNS. NODES entries will also be resolved to IP addresses before performing matches.

The host name may resolve to the Fully Qualified Domain Name (FQDN). For example: barney.bedrock.com. Adding an entry for the host in your /etc/hosts file or %systemroot%\system32\drivers\etc\hosts may result in the short name being used instead (barney). You can also enable the strip_domain / strip_domain_list options to have SNMPTT strip the domain of any FQDN host. See the snmptt.ini file for details.

To allow IP addresses to be resolved to host names, PTR records must exist in DNS or the local hosts file must contain all hosts.

It is recommended that either DNS be installed on the machine running SNMPTT / snmptrapd or a local hosts file be configured will all devices. DNS should be configured as a secondary (authoritive) for the domains that it will receive traps from. This will reduce network resolution traffic, speed up resolution, and remove the dependency of the network for DNS. If a local DNS or hosts file is not used, then the entire network management station could become useless during a DNS / remote network outage and could cause false alarms for network management software.

Sample SNMPTT.CONF files

Sample1

Note: The examples folder also contains a sample snmptt.conf file.

Following is a sample of two defined traps in snmptt.conf:

#  
EVENT COMPAQ_11003 .1.3.6.1.4.1.232.0.11003 "LOGONLY" Normal  
FORMAT Compaq Generic Trap: $*  
EXEC qpage -f TRAP notifygroup1 "Compaq Generic Trap: $*"  
NODES /etc/snmp/cpqnodes  
SDESC  
Generic test trap  
EDESC  
#  
#  
EVENT cpqDa3AccelBatteryFailed .1.3.6.1.4.1.232.0.3014 "Error Events" Critical  
FORMAT Battery status is $3.  
EXEC qpage -f TRAP notifygroup1 "$s $r $x $X: Battery status is $3"  
NODES ntserver1 ntserver2 ntserver3  
#  
#

Sample2

Following is a sample of a list of files to load in snmptt.ini:

snmptt_conf_files = <<END  
/etc/snmp/snmp-compaq.conf  
/etc/snmp/snmp-compaq-hsv.conf  
END

Following is a sample of one defined trap in /etc/snmp/snmptt-compaq.conf:

#  
EVENT COMPAQ_11003 .1.3.6.1.4.1.232.0.11003 "LOGONLY" Normal  
FORMAT Compaq Generic Trap: $*  
EXEC qpage -f TRAP notifygroup1 "Compaq Generic Trap: $*"  
NODES /etc/snmp/cpqnodes  
SDESC  
Generic test trap  
EDESC  
#

Following is a sample of one defined trap in /etc/snmp/snmptt-compaq-hsv.conf:

#  
EVENT mngmtAgentTrap-16025 .1.3.6.1.4.1.232.0.136016025 "Status Events" Normal  
FORMAT Host $1 : SCellName-TimeDate $2 : EventCode $3 : Description $4  
EXEC qpage -f TRAP notifygroup1 "Host $1 : SCellName-TimeDate $2 : EventCode $3 : Description $4"  
SDESC  
"Ema EMU Internal State Machine Error [status:10]"  
EDESC  
#

Notes

trapd.conf & MIB files

An existing HP Openview trapd.conf can be used in most cases but the file must be a VERSION 3 file. SNMPTT does not support all the variables implemented in HPOV, but most are available. The following variables may or may not match exactly to HPOV: $O, $o, $r, $ar, $R, $aR.

Some vendors (such as Compaq and Cisco ) provide a file that can be imported in to HP Openview using an HP Openview utility. snmpttconvert can be used to convert the file to snmptt.conf format.

Some vendors provide a MIB file that contains TRAP or NOTIFICATION definitions. snmpttconvertmib can be used to convert the file to snmptt.conf format.

IPv6

Limitations

Standalone mode only:

With a 450 Mhz PIII (way back in 1998) and a 9000 line snmptt.conf containing 566 unique traps (EVENTs), it took under a second to process the trap including logging and executing the qpage program. The larger the snmptt.conf file is, the longer it will take to process. If there are a large number of traps being received, daemon mode should be used. If it takes 1 second to process one trap, then obviously you shouldn't try to process more than one trap per second. Daemon mode should be used instead.

Note: Enabling the Net-SNMP Perl module will greatly increase the startup time of SNMPTT. Daemon mode is recommended.

Standalone or daemon mode:

The SNMPTRAPD program blocks when executing traphandle commands. This means that if the program called never quits, SNMPTRAPD will wait forever. If a trap is received while the traphandler is running, it is buffered and will be processed when the traphandler finishes. I do not know how large this buffer is.

The program called by SNMPTT (EXEC) blocks SNMPTT. If you call a program that does not return, SNMPTT will be left waiting. In standalone mode, this would cause snmptrapd to wait forever also.

Feedback & Bugs

Please send me any comments - good or bad - to [email protected]. If you have any problems including converting trap files, please send me an email and include the file you are trying to convert and I will try to take a look at it.

Please also send any bug reports, patches or improvements so I can fix / add them and add it to the next release. You can also use Sourceforge for bugs and feature requests.

Integration with other software

Nagios

Overview

This section will outline the basic steps to integrate SNMPTT with Nagios Core. If you are using Nagios XI, see Handling SNMP Traps With Nagios.

Before attempting to integrate SNMPTT with Nagios, please ensure that you have a fully functioning SNMPTT system that can at least log translated traps to a log file.

Nagios Passive Service Checks

Passive service checks allow Nagios to process service check results that are submitted by external applications. Using SNMPTT's EXEC statement, the received trap can be passed to Nagios using the submit_check_result script included with Nagios. Once received by Nagios, Nagios will handle alerting for the trap.

One service is defined for each Nagios host that is to receive traps from SNMPTT. The benefits of using only one service entry is that it makes it easier to set up Nagios. Trying to define every possible trap for every host you have is not recommended. For example, after converting the MIBS from Compaq, there are over 340 traps defined. Trying to define this for every Compaq server would not be a good idea as 40 servers * 340 traps = 13,600 service definitions.

The downside of using only one service entry is that you will only see the last trap that was received on the Nagios console. Alerting will be handled by Nagios for each trap received but the console will only show the last one as being in the warning or critical state. The service will remain in this state until you manually force a service check unless you have freshness checking enabled (Nagios 2.0 and higher). See Clearing received traps in Nagios below.

Nagios Volatile Services

When defining the service for receiving the SNMPTT translated trap, the service must be defined as volatile. When a service is changed from an OK state to a non-OK state, contacts are notified. Normally, a service is Nagios in not defined volatile which means if another service check is performed and the state is still non-OK then NO contacts are notified. Because there is only one service entry for SNMP traps, we need to make sure we are contacted every time a trap comes in.

Creating the Nagios service entry

Following is a sample service entry for Nagios.

define service{
    host_name               server01            # Name of host
    service_description     TRAP                # Name of service.  What you use here must match the same value for the submit_check_result script
    is_volatile             1                   # Enables volatile services
    check_command           check-host-alive    # Used to reset the status to OK when 'Schedule an immediate check of this service' is selected.
    max_check_attempts      1                   # Leave as 1.
    normal_check_interval   1                   # Leave as 1.
    retry_check_interval    1                   # Leave as 1.
    active_checks_enabled   0                   # Prevent active checks from occuring as we are only using passive checks.
    passive_checks_enabled  1                   # Enables passive checks
    check_period            24x7                # Required for freshness checking.
    notification_interval   31536000            # Notification interval.  Set to a very high number to prevent you from
                                                #  getting pages of previously received traps (1 year - restart Nagios 
                                                #  at least once a year! - do not set to 0!).
    notification_period     24x7                # When you can be notified.  Can be changed
    notification_options    w,u,c               # Notify on warning, unknown and critical.  Recovery is not enabled so we do not 
                                                #  get notified when a trap is cleared.
    notifications_enabled   1                   # Enable notifications
    contact_groups          cg_core             # Name of contact group to notify
}

Note: To simplify the configuration, you can create a service template.

Note: Previous versions of this documentation defined a check_period of none, and did not set active_checks_enabled to 0. As of SNMPTT 1.2, setting active_checks_enabled to 0 instead of setting check_period to none is recommened as freshness checks require it. The recovery notification option has also been removed so we do not get notified when a trap is cleared.

Creating the SNMPTT EXEC statement

The Nagios distribution should contain the script submit_check_result in the contrib/eventhandlers directory. Create a directory called eventhandlers under libexec (/usr/local/nagios/libexec) and copy the submit_check_result script to that directory. Make sure the script is executable (chmod +x submit_check_result).

The submit_check_result script expects the following arguments:

host_name svc_description return_code plugin_output

The possible return codes are: 0=OK, 1=WARNING, 2=CRITICAL, -1=UNKNOWN. See the top of the submit_check_result script for a detailed description of each argument.

Create an EXEC statement such as the following for each EVENT entry in your snmptt.conf file:

EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result $r TRAP 1 "xxxxxx"

where "xxxxxx" is the text for the trap using the same format as the FORMAT statement. For example:

EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result $r TRAP 1 "Drive $1 in bay $2 has failed"

The variable substitution $r is used to pass the host name, TRAP matches the service definition defined above, 1 represents a WARNING, and "xxxxxx" is the same text used for your FORMAT line.

Instead of repeating the same text as the FORMAT line, you can instead use the $Fz variable in the EXEC statement. For example, to generate the EXEC command when using snmpttconvertmib:

Create a file called exec-commands.txt with (all on one line):

/usr/local/nagios/libexec/eventhandlers/submit_check_result $r TRAP 1 "$Fz"

Run snmpttconvertmib using:

snmpttconvertmib --in=/usr/share/snmp/mibs/mibname.mib --out=/etc/snmp/snmptt.conf --exec_mode=1 --exec_file=exec-commands.txt

Note: Run snmpttconvertmib -h for information on the command line options.

You must make sure that the host definition in Nagios matches the hostname that will be passed from SNMPTT using the $r variable. See the section 'Name Resolution / DNS' for important DNS information.

Clearing received traps in Nagios

Using the above configuration, once a trap is received for a host, it will remain in the WARNING state. To clear the trap from the Nagios console, open the TRAP service and click 'Schedule an immediate check of this service'. This will cause the defined service check to be run (check-host-alive in the example above) which will then change the status code to OK and clear the warning after a minute or so, assuming of course the system responds OK to the check-host-alive check. An alternative to using check-host-alive is to create a new command called reset-trap with:

#!/bin/sh  
/bin/echo "OK: No recent traps received"  
exit 0

Be sure to create a command definition in your commands.cfg file. See the 'Object configuration file options' section of the Nagios documentation.

Nagios 2.0 introduced service and host result freshness checks. Service freshness checks can be used to automatically reset the trap notification to an OK state by defining check_freshness and freshness_threshold in the service definition. Using freshness checks is recommended over normal active checks (defined by normal_check_interval) because the next check time of a normal active check does not change when a service changes state. Because of this, if you wanted to clear the trap after 24 hours, the last trap would be cleared some time between when it happened at 24 hours, depending on when the last active check was done. With freshness checking, the check command will be run freshness_threshold seconds after the last passive result was received.

For freshness checking to work, normal_check_interval must be set to 1, valid check_period should be set to 24x7 and the following service definitions should be added.

check_freshness         1           # Enable freshness checking
freshness_threshold     86400       # Reset trap alert every 24 hours.

SNMP heartbeat monitoring

If you have an application that sends periodic SNMP heartbeats, it is possible to use freshness checking to alert if a heartbeat has not been received.

To configure a heartbeat trap, start by creating a new service definition by following 'Creating the Nagios service entry' above, but use a new service_description such as MyApp_heartbeat. Next, add / change the following service definitions.

check_freshness         1                           # Enable freshness checking
freshness_threshold     1200                        # Check freshness every 20 minutes.
check_command           myapp_heartbeat_alarm_set   # Command to execute when a heartbeat is not received within freshness_threshold seconds.
notification_options    w,u,c,r                     # Notify on warning, unknown critical and recovery.

Note: For freshness checking to work, normal_check_interval must be set to 1, and valid check_period should be set to 24x7.

In this example, it is assumed that the heartbeat trap is received every 15 minutes, so a freshness_threshold of 20 minutes was selected in case the heartbeat was delayed.

Create the new myapp_heartbeat_alarm_set command for Nagios:

#!/bin/sh  
/bin/echo "CRITICAL: Heartbeat signal from MyApp was not received!"  
exit 2

Be sure to create a command definition in your commands.cfg file. See the 'Object configuration file options' section of the Nagios documentation.

Next, add an EXEC statement to the snmptt.conf file for the trap definition:

EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result $r MyApp_heartbeat 1 "Heartbeat signal from MyApp received."

As long as the traps are received, the MyApp_heartbeat service will have an OK status. If the heartbeat is not received, the freshness command will be executed which will set the status to CRITICAL.

Icinga

Overview

This section will outline the basic steps to integrate SNMPTT with Icinga. Some of the configuration and scripts were copied from Icinga's SNMPTT documentation.

Before attempting to integrate SNMPTT with Icinga, please ensure that you have a fully functioning SNMPTT system that can at least log translated traps to a log file.

Icinga Passive Service Checks

Passive service checks allow Icinga to process service check results that are submitted by external applications. Using SNMPTT's EXEC statement, the received trap can be passed to Icinga via the curl program. Once received by Icinga, Icinga will handle alerting for the trap.

In this guide, we setup one service definition for each Icinga host that is to receive traps from SNMPTT. The benefits of using only one service entry is that it makes it easier to set up Icinga. Trying to define every possible trap for every host you have is not recommended. For example, after converting the MIBS from Compaq, there are over 340 traps defined. Trying to define this for every Compaq server would not be a good idea as 40 servers * 340 traps = 13,600 service definitions.

The downside of using only one service entry is that you will only see the last trap that was received on the Icinga console. Alerting will be handled by Icinga for each trap received but the console will only show the last one as being in the warning or critical state. The service will remain in this state until you manually force a service check unless you have freshness checking enabled. See Clearing received traps in Icinga below.

Icinga Volatile Services

When defining the service for receiving the SNMPTT translated trap, the service must be defined as volatile. When a service is changed from an OK state to a non-OK state, contacts are notified. Normally, a service in Icinga is not defined volatile which means if another service check is performed and the state is still non-OK then NO contacts are notified. Because there is only one service entry for SNMP traps, we need to make sure we are contacted every time a trap comes in.

Creating the Icinga service entry

Following is a sample service entry for Icinga.

object Service "TRAP" {  
  host_name = "server1.domain"  
  import "generic-service"

  check_command         = "dummy"  
  event_command         = "trap-reset-event"

  enable_notifications  = 1  
  enable_active_checks  = 0  
  enable_passive_checks = 1  
  enable_flapping       = 0  
  volatile              = 1  
  enable_perfdata       = 0

  vars.dummy_state      = 0  
  vars.dummy_text       = "Manual reset."

  vars.sla              = "24x7"  
}

Note: To simplify the configuration, you can instead apply the service to hosts using an 'apply Service'. See the Icinga SNMPTT documentation for an example.

Creating the SNMPTT EXEC statement

Create an EXEC statement such as the following for each EVENT entry in your snmptt.conf file:

EXEC /usr/bin/curl -k -s -S -i -u apiuser:password -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/process-check-result' -d '{ "type": "Service", "filter": "host.name==\"$A\" && service.name==\"TRAP\"", "exit_status": 2, "plugin_output": "xxxxxx", "check_source": "$A", "pretty": true }'

where apiuser:password is the API username and password, xxxxxx is the text for the trap using the same format as the FORMAT statement.

The variable substitution $A is used to pass the host name for host.name and check_source, TRAP for service.name matches the service definition defined above, exit_status of 1 represents a WARNING, and xxxxxx is the same text used for your FORMAT line.

Instead of repeating the same text as the FORMAT line, you can instead use the $Fz variable in the EXEC statement. For example, to generate the EXEC command when using snmpttconvertmib:

Create a file called exec-commands.txt with (all on one line):

/usr/bin/curl -k -s -S -i -u apiuser:password -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/actions/process-check-result' -d '{ "type": "Service", "filter": "host.name==\"$A\" && service.name==\"TRAP\"", "exit_status": 2, "plugin_output": "$Fz", "check_source": "$A", "pretty": true }'

Run snmpttconvertmib using:

snmpttconvertmib --in=/usr/share/snmp/mibs/mibname.mib --out=/etc/snmp/snmptt.conf --exec_mode=1 --exec_file=exec-commands.txt

Note: Run snmpttconvertmib -h for information on the command line options.

An API user must be defined in api-users.conf with the permission actions/process-check-result. Example:

object ApiUser "snmptt" {  
  password = "xxxxxxxxxxxxxxx"  
  permissions = [ "actions/process-check-result" ]  
}

You must make sure that the host definition in Icinga matches the hostname that will be passed from SNMPTT using the $A variable. See the section 'Name Resolution / DNS' for important DNS information.

Clearing received traps in Icinga

Using the above configuration, once a trap is received for a host, it will remain in the WARNING state. To clear the trap from the Icinga console, open the TRAP service and click 'Check Now'. This will cause the defined event check to be run (trap-reset-event in the example above) which will then change the status code to OK and clear the warning. For this to work, you must define an Icinga command:

object EventCommand "trap-reset-event" {  
  command = [ ConfigDir + "/scripts/trap_reset_event.sh" ]

  arguments = {  
    "-i" = "$service.state_id$"  
    "-n" = "$host.name$"  
    "-s" = "$service.name$"  
  }  
}

Create the trap_reset_event.sh script in ConfDir /scripts (/etc/icinga2/scripts) and make sure it's executable (chmod +x).

#!/bin/bash

SERVICE_STATE_ID=""  
HOST_NAME=""  
SERVICE_NAME=""

show_help()  
{  
cat <<-EOF  
    Usage: ${0##*/} [-h] -n HOST_NAME -s SERVICE_NAME  
    Writes a coldstart reset event to the Icinga command pipe.

      -h                  Display this help and exit.  
      -i SERVICE_STATE_ID The associated service state id.  
      -n HOST_NAME        The associated host name.  
      -s SERVICE_NAME     The associated service name.  
EOF  
}

while getopts "hi:n:s:" opt; do  
    case "$opt" in  
      h)  
          show_help  
          exit 0  
          ;;  
      i)  
          SERVICE_STATE_ID=$OPTARG  
          ;;  
      n)  
          HOST_NAME=$OPTARG  
          ;;  
      s)  
          SERVICE_NAME=$OPTARG  
          ;;  
      '?')  
          show_help  
          exit 0  
          ;;  
      esac  
done

if [ -z "$SERVICE_STATE_ID" ]; then  
    show_help  
    printf "\n  Error: -i required.\n"  
    exit 1  
fi

if [ -z "$HOST_NAME" ]; then  
    show_help  
    printf "\n  Error: -n required.\n"  
    exit 1  
fi

if [ -z "$SERVICE_NAME" ]; then  
    show_help  
    printf "\n  Error: -s required.\n"  
    exit 1  
fi

if [ "$SERVICE_STATE_ID" -gt 0 ]; then  
    echo "[`date +%s`] PROCESS_SERVICE_CHECK_RESULT;$HOST_NAME;$SERVICE_NAME;0;Auto-reset (`date +"%m-%d-%Y %T"`)." >> /var/run/icinga2/cmd/icinga2.cmd  
fi

To have the TRAP service automatically cleared 20 minutes after the last trap was received, modify the service entry to enable active checks and define a check_interval:

enable_passive_checks = 1  
check_interval        = 1200

Zabbix

Information on handling SNMP traps with Zabbix can be found in the Zabbix documentation.

SEC - Simple Event Correlator

Overview

Simple Event Correlator (SEC) is a free and platform independent event correlation tool.

This section will outline the basic steps to integrate SNMPTT with SEC. It will not attempt to explain how SEC works. There is very good documentation available on the SECs web page and a good introduction to SEC can be found here. You should be able to install and configuration SEC before attempting to integrate it with SNMPTT. You should also have a functioning SNMPTT system that can at least log translated traps to a log file.

This section outlines one method of integrating SEC with SNMPTT. Another method is documented in the March 2005 edition of Sys Admin Magazine in an article written by Francois Meehan. A copy of the article is available here.

Here are a couple of examples of why you would want to integrate SNMPTT with SEC:

  1. You have a 'noisy' device that constantly sends the same trap over and over again. It would be possible to simply disable the trap in SNMPTT, but you want the trap to be logged, just not excessively. The SEC 'SingleWithSupress' could be used to reduce the number of traps logged.
  2. Router interfaces often go up and down and you are receiving a trap for each event. You do not want to be alerted every time the interface 'bounces', but you do want to be alerted if it happens many times over a set period of time. You want to be alerted when the interface is down for more than 10 seconds, and then when the interface comes back up.

The following outlines how the flow of traps between SNMPTT and SEC could take place:

  1. SNMPTT receives a trap.
  2. SNMPTT logs the trap to a separate log file such as /var/log/snmptt/snmptt.sec.log using '/bin/echo ...' for the EXEC statement. No FORMAT line is defined so the trap is not logged to the regular snmptt.log log file (or SQL table if a SQL server is used).
  3. SEC monitors the log file for new entries.
  4. SEC correlates the messages from the log file.
  5. When a new alert needs to be generated by SEC based on its rules, SEC will call an external script which will feed the information back into SNMPTT as a trap using a user defined unique trap OID. The unique trap OID is defined in a custom snmptt.conf file (such as /etc/snmp/snmptt.conf.sec).
  6. SNMPTT will process the new trap as it would any other trap by logging to snmptt.log, a SQL table etc.

Configuration Overview

The following outlines how example 2 from above could be handled using SEC. This is a slightly modified version of the example from the SEC Examples page.

The example provides the following:

The following steps need to be completed:

  1. Modify the Cisco snmptt.conf file to output linkDown and linkUp messages to a separate log file.
  2. Create a new snmptt.conf file to handle incoming alerts from SEC
  3. Create a SEC configuration file to correlate the linkDown / linkUp messages and pass new alerts to a script
  4. Create a script that will feed the messages from SEC back in to SNMPTT
  5. Test

1. Modify the Cisco SNMPTT.CONF file

The existing SNMPTT.CONF file needs to be modified to output the linkDown and linkUp messages to a separate log file for processing by SEC.

Following is an example snmptt.conf.cisco file modified to log a linkdown or linkup message to /var/log/snmptt/snmptt.sec.log. As you can see there are no FORMAT lines so the trap will not be logged to the regular SNMPTT log system.

EVENT Cisco_Link_Down .1.3.6.1.6.3.1.1.5.3.1.3.6.1.4.1.9 "Cisco Events" Minor  
EXEC /bin/echo "node=$A msg_text=cisco linkdown trap on interface $1" >> /var/log/snmptt/snmptt.sec.log  
SDESC  
This event occurs when the Cisco agent  
detects an interface has gone down.

A linkDown trap signifies that the sending  
protocol entity recognizes a failure in one of  
the communication links represented in the  
agent's configuration.  
EDESC  
#  
#  
#  
EVENT Cisco_Link_Up .1.3.6.1.6.3.1.1.5.4.1.3.6.1.4.1.9 "Cisco Events" Normal  
EXEC /bin/echo "node=$A msg_text=cisco linkup trap on interface $1" >> /var/log/snmptt/snmptt.sec.log  
SDESC  
This event occurs when the Cisco agent  
detects an interface has come back up.

A linkUp trap signifies that the sending  
protocol entity recognizes that one of the  
communication links represented in the agent's  
configuration has come up.  
EDESC  
#  
#  
#

2. Create a new SNMPTT.CONF file for incoming SEC alerts

A new SNMPTT.CONF file needs to be created which will handle the incoming traps from SEC.

Following is an example snmptt.conf.sec file to accept incoming traps from SEC. Use an enterprise OID that will not interferre with any other OIDs already configured on your system. For example, .1.3.6.1.4.1.9999.

EVENT Cisco_Link_DownUp .1.3.6.1.4.1.9999.1 "Cisco Events" Normal  
FORMAT $1  
#  
#  
#  
EVENT Cisco_Link_DownUp .1.3.6.1.4.1.9999.2 "Cisco Events" Major  
FORMAT $1  
#  
#  
#

3. Create a SEC configuration file

Following is a SEC configuration file that handles the even correlation for the Cisco traps. This file is the same as the file available on the SEC Examples page except comments and file paths have been modified.

########################################################  
          Sample SEC ruleset for SNMPTT  
########################################################

# process Cisco linkDown/linkUp trap events received from  
# SNMPTT via log file

type=PairWithWindow  
ptype=RegExp  
pattern=node=(\S+).*msg_text=cisco linkdown trap on interface (\S+)  
desc=CISCO $1 INTERFACE $2 DOWN  
action=event %s;  
continue2=TakeNext  
ptype2=RegExp  
pattern2=node=$1.*msg_text=cisco linkup trap on interface $2  
desc2=CISCO %1 INTERFACE %2 BOUNCE  
action2=event %s;  
window=20

type=SingleWithSuppress  
continue=TakeNext  
ptype=RegExp  
pattern=CISCO (\S+) INTERFACE (\S+) DOWN  
desc=cisco $1 interface $2 down  
action=reset +1 %s  
window=60

type=Pair  
ptype=RegExp  
pattern=CISCO (\S+) INTERFACE (\S+) DOWN  
desc=cisco $1 interface $2 down  
action=shellcmd /home/snmptt/cisco_msg $1 $2 major down  
ptype2=RegExp  
pattern2=node=$1.*msg_text=cisco linkup trap on interface $2  
desc2=cisco %1 interface %2 up  
action2=shellcmd /home/snmptt/cisco_msg %1 %2 normal up  
window=86400

type=SingleWith2Thresholds  
ptype=RegExp  
pattern=CISCO (\S+) INTERFACE (\S+) BOUNCE  
desc=cisco $1 interface $2 is unstable  
action=shellcmd /home/snmptt/cisco_msg $1 $2 major unstable  
window=3600  
thresh=10  
desc2=cisco $1 interface $2 is stable again  
action2=shellcmd /home/snmptt/cisco_msg $1 $2 normal stable  
window2=10800  
thresh2=0

Here is a quick breakdown of what each rule does:

First rule:

Second rule:

Third rule:

Fourth rule:

4. Create a script to pass a trap back to SNMPTT

Following is a Perl script that passes the information passed from SEC back to SNMPTT by calling snmptthandler directly. This file is basically a modified Perl version of the shell script available on the SEC Examples page.

#!/usr/bin/perl  
#  
# the cisco_msg script:  
#  
use Socket;

node = shift(@ARGV);  
interface = shift(@ARGV);  
severity = shift(@ARGV);  
text  = shift(@ARGV);

temp_ipaddr = gethostbyname($node);  
if (defined($temp_ipaddr)) {  
  $ipaddr = Socket::inet_ntoa(scalar($temp_ipaddr));  
}  
else {  
  $ipaddr = "0.0.0.0";  
}

# use snmpget utility from Net-SNMP package  
ifname=`/usr/bin/snmpget -c public -OQv $NODE .1.3.6.1.2.1.2.2.1.2.$IF`  
description=`/usr/bin/snmpget -c public -OQv $NODE .1.3.6.1.4.1.9.2.2.1.1.28.$IF`

message="Interface $ifname ($description) $text";  
message=~s/\"/\'/g;

open (TRAP, "|/usr/sbin/snmptthandler");

select TRAP;

print "$node\n";  
print "$ipaddr\n";  
print ".1.3.6.1.2.1.1.3.0 00:00:00:00.00\n";  
if ($severity=~/normal/i) {  
  print ".1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.9999.1\n";  
}  
else {  
  print ".1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.9999.2\n";  
}  
print ".1.3.6.1.4.1.9999.1.1 $message\n";  
print ".1.3.6.1.6.3.18.1.3.0 $ipaddr\n";  
print ".1.3.6.1.6.3.18.1.4.0 public\n";  
print ".1.3.6.1.6.3.1.1.4.3.0 .1.3.6.1.4.1.9999\n";

close TRAP;

Windows Event Log forwarding

Overview

The Windows utility Event to Trap Translator (evntwin.exe and evntcmd.exe) can be used to configure Windows to forward user selectable Event Log entries to an SNMP manager when using the Microsoft SNMP service. SNMPTT can be configured to process these traps like any other trap. If the Event to Trap Translator is not already installed on your machine, it should be available from the Microsoft Resource Kit, SMS or after installation of the Microsoft SNMP service (Windows 2000 AS and Windows XP or higher).

This section will outline the basic steps to configure Windows to forward event log entries to Net-SNMP / SNMPTT when using the Microsoft SNMP server (not the Net-SNMP snmpd.exe agent). It will not attempt to explain how evntwin.exe and evntcmd.exe function. Documentation on using evntwin.exe and evntcmd.exe is available on the Microsoft web site and should be reviewed. You should have a functioning SNMPTT system that can at least log translated traps to a log file before attempting this.

SNMP Service

The Windows SNMP Service is the Microsoft SNMP agent which is responsible for handling SNMP requests from management stations such as queries for CPU utilization, disk space etc. The agent is also responsible for sending traps to management stations when an event occurs.

Note: The Microsoft SNMP Trap Service is used to RECEIVE SNMP traps which is similar to the Net-SNMP snmptrapd.exe daemon. The Microsoft SNMP Trap Service is NOT used to send traps and is not required.

Configuring the trap destination

The Windows SNMP agent needs to be configured to forward traps to your Net-SNMP / SNMPTT management station. This is done using the following steps:

After the service is restarted, a coldStart trap will be sent to the management station. If SNMPTT has been configured to translate coldStart messages, you should see a log entry similar to the following:

Thu Sep 9 21:33:06 2004 .1.3.6.1.6.3.1.1.5.1 Normal "Status Events" server1 - Device reinitialized (coldStart)

Note:If the SNMP Service is not listed in the Services Control Panel, then it needs to be installed using Add/Remove Programs. Under Add/Remove Windows Components, select Management and Monitoring Tools and then Simple Network Management Protocol.

Configuring the Event to Trap Translator

The following steps explain how to configure the Event to Trap Translator to forward system logon failures to SNMPTT:

The SNMP agent should now forward all logon failures to the SNMP management station. A restart of the SNMP service should not be necessary.

Configuring SNMPTT to accept the Microsoft traps

An SNMPTT.CONF file needs to be created to handle the Microsoft traps. All Microsoft traps start with .1.3.6.1.4.1.311.1.13.1. For simplicity, a single SNMPTT.CONF EVENT entry will be used with a wildcard to accept all Microsoft traps. Following is an example snmptt.conf.microsoft file which needs to be included in the list of .conf files in the TrapFiles section in snmptt.ini:

EVENT EventLog .1.3.6.1.4.1.311.1.13.1.* "Regular" Normal
FORMAT EventLog entry: $1

The first enterprise variable ($1) contains the complete text that is displayed in the Event Log Description box. Variables are described in more detail in the Advanced Section.

After creating the snmptt.conf.microsoft file and adding it to the snmptt.ini, restart SNMPTT.

Testing

To test that the trap is received by SNMPTT, a logon failure in Windows should be created.

Your default installation of Windows may not create Event Log entries for unsuccessful logins. To configure Windows to log all failed logins, follow these steps:

The settings should take effect immediately, and a reboot should not be required.

To generate an event log entry, you can either log off and try to log on to the system with an invalid username and password, or use the runas.exe command from command prompt. For example:

runas /user:fakeuser cmd

When prompted for a password, press Enter.

SNMPTT should log something similar to the following:

Thu Sep 9 21:05:40 2004 .1.3.6.1.4.1.311.1.13.1.8.83.101.99.117.114.105.116.121.0.529 Normal "Regular" server1 - Event Log entry: Logon Failure:.....Reason:..Unknown user name or bad password.....User Name:.fakeuser.....Domain:.......Logon Type:.joint-iso-ccitt.....Logon Process:.seclogon.....Authentication Package:.Negotiate.....Workstation Name:.SERVER1.

The text in the log entry should match the text in the Description field of the Event Log entry but without the formatting.

Advanced Configuration

Specific EVENTs

Instead of using a wildcard EVENT entry to match all Microsoft traps, it is possible to create EVENT entries for each trap. As SNMPTT will only match using wildcard entries if there is no exact EVENT match, it may be desirable to create EVENT entries for a select number of important events, and keep the wildcard to catch any others.

To determine the trap OID that will be used for the EVENT, display the entry in evntwin.exe and combine the Enterprise OID, a 0 and the Trap Specific ID. For example, for the security event ID 529 used above:

Enterprise OID: 1.3.6.1.4.1.311.1.13.1.8.83.101.99.117.114.105.116.121

Trap Specific ID: 529

Based on the information above, the following EVENT line would be used::

EVENT EventLog 1.3.6.1.4.1.311.1.13.1.8.83.101.99.117.114.105.116.121.0.529 "Regular" Normal

Enterprise variables

Each trap sent from the Event to Trap Translator contains the text displayed in the Description, User and Computer fields for the Event Log. Also passed are the individual variables which are used by the Windows SNMP Service to create the Description field in the Event Log.

The following lists the enterprise variables that can be used in SNMPTT for each trap:

As the individual variables are passed in the trap, it is possible to recreate the FORMAT line instead of using the passed Description ($1) field. For example, $1 in the previous example contains:

Logon Failure:.....Reason:..Unknown user name or bad password.....User Name:.fakeuser.....Domain:.......Logon Type:.joint-iso-ccitt.....Logon Process:.seclogon.....Authentication Package:.Negotiate.....Workstation Name:.SERVER1.

By reviewing the Description field as defined in the evntwin.exe utility, a new cleaned up FORMAT line can be used that does not contain all the dots.

Following is the text from the Description field in evntwin.exe which will be used as a reference. Notice the use of %n variables which are equivalent to the SNMPTT $n variables +5 (%1 = SNMPTT's $6). Note: In the example below, %n is a newline and %t is a tab while %n is a variable number.

Logon Failure:%n %tReason:%t%tUnknown user name or bad password%n %tUser Name:%t%1%n %tDomain:%t%t%2%n %tLogon Type:%t%3%n %tLogon Process:%t%4%n %tAuthentication Package:%t%5%n %tWorkstation Name:%t%6

The EVENT entry could be cleaned up using:

EVENT EventLog 1.3.6.1.4.1.311.1.13.1.8.83.101.99.117.114.105.116.121.0.529 "Regular" Normal  
FORMAT Logon Failure: Reason: Unknown user name or bad password. User Name: $6, Domain: $7, Logon Type: $8, Logon Process: $9, Auth package: $10, Workstation name: $11

Xymon / Hobbit

Information on handling SNMP traps with Xymon (formerly Hobbit) can be found at http://cerebro.victoriacollege.edu/hobbit-trap.html.


Last modified: Saturday, 27-Nov-2021 17:36:28 UTC