[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SAGE] Re: snmptrapd/snmptrap configs and examples?

To: Brent Chapman <Brent@GreatCircle.COM>
Subject: [SAGE] Re: snmptrapd/snmptrap configs and examples?
From: Mark Plaksin <happy@usg.edu>
Date: Tue, 15 Nov 2005 08:46:01 -0500
Cc: sage-members@usenix.org
In-Reply-To: <p0621022ebf9f245d72aa@[66.92.48.19]> (Brent Chapman's message of"Mon, 14 Nov 2005 21:49:25 -0800")
References: <p0621022ebf9f245d72aa@[66.92.48.19]>
Sender: owner-sage-members@usenix.org
User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/22.0 (gnu/linux)

Brent Chapman <Brent@GreatCircle.COM> writes:

> I'd like to decode SNMP traps and feed them into Splunk, which is a 
> cool new index/search tool for log data (see 
> http://www.splunk.com/index.php/articles/news/86 for an overview of 
> what it is and how it works).
>
> The server I'm using (running the Centos 4.1 variant of RedHat) has 
> the standard net-snmp package (net-snmp-5.1.2) installed, which 
> includes "snmptrapd", which looks like it ought to do what I need... 
> Unfortunately the documentation is, let's just say, "abstract"... 
> I'd love to see some sample configs, if anybody could send me or 
> point me to any.
>
> I'd also like to use the "snmptrap" program (part of the same 
> package) to send test traps to the snmptrapd server.  Its 
> documentation is similarly un-useful for what I'm trying to do, so 
> I'd love to see some examples of usage of that program, too.

Yeah, me too.  I scribbled some notes down once I finally got it working.
They're not pretty but should get you going.  Names changed to protect the
innocent.

------------------------------------------------------------------------------

Just make it work, please!

The S in SNMP is one of the biggest lies in the long line of lies involving
the letter S as the first letter of so many protocols.

Here's a step-by-step guide to getting snmpd and snmptrapd working under
Debian. You can adapt it to any system running Net-SNMP version 5.

/etc/hosts.allow needs a line like this:

snmpd: 192.168.10.10

/etc/snmp/snmpd.conf needs lines like this:

# First, map the community name (COMMUNITY) into a security name
# (local and mynetwork, depending on where the request is coming
# from):
com2sec infwnet   192.168.10.10  YOUR-COMMUNITY

# Second, map the security names into group names:
group MyROGroup v1         infwnet
group MyROGroup v2c        infwnet
group MyROGroup usm        infwnet

# Third, create a view for us to let the groups have rights to:                  
view all    included  .1                               80

# Finally, grant the group access to the view                                    
access MyROGroup  ""      any       noauth    exact  all    none   none

Then this should work:

snmpwalk -v1 -c YOUR_COMMUNITY 192.168.10.10 .

snmptrapd

So you want traps? Note that unlike snmpd, snmptrapd is fails silently when
TCP wrappers denies your connection.

First, add this to /etc/hosts.allow:

snmptrapd: 192.168.10.10

Make sure this line is in /etc/snmp/snmpd.conf:

master agentx

And read the Net-SNMP trap tutorial. Put the two MIB files into
/usr/share/snmp/mibs/MIB-NAME-MIB.txt then edit /etc/default/snmpd and add
this to the SNMPDOPTS and the TRAPDOPTS lines:

-M /usr/share/snmp/mibs -m ALL

And, of course, make sure snmptrapd will start by setting this in
/etc/default/snmpd:

TRAPDRUN=yes

All that should allow this to work:

snmptrap -v 1 -c public 192.168.10.10 TRAP-TEST-MIB::demotraps localhost 6 17  SNMPv2-MIB::sysLocation.0 s "Just here"

Which will append something like this to /var/log/daemon.log:

Jul 23 10:12:18 beans snmptrapd[25741]: 2005-07-23 10:12:18 localhost [127.0.0.1] (via 168.24.80.68) TRAP, SNMP v1, community tss-public ^I.1.3.6.1.4.1.2021.13.990 Enterprise Specific Trap (17) Uptime: 45 days, 9:39:51.17 ^I.1.3.6.1.2.1.1.6.0 = STRING: Just here

So now you want to run your very own trap handler? Put these lines (stolen
from the tutorial) in /etc/snmp/snmptrapd.conf:

traphandle TRAP-TEST-MIB::demo-trap             /tmp/go demo-trap
traphandle NOTIFICATION-TEST-MIB::demo-notif    /tmp/go demo-notif

Make /tmp/go look like this (also stolen) and be sure it's executable:

#!/bin/sh
                                                                                 
read host
read ip
vars=
                                                                                  
while read oid val
do
  if [ "$vars" = "" ]
  then
    vars="$oid = $val"
  else
    vars="$vars, $oid = $val"
  fi
done
                                                                                
echo trap: $1 $host $ip $vars > /tmp/go.out

What you get when a trap occurs

An authentication failure trap from the UPS generates this syslog message:

Aug  9 11:25:04 elwood snmptrapd[19573]: 2005-08-09 11:25:04 your.host.com [192.168.10.10] (via 192.168.10.10) TRAP, SNMP v1, community YOUR-COMMUNITY     .1.3.6.1.4.1.476.1.1.1.11 Authentication Failure Trap (0) Uptime: 12 days, 1:41:34.30 

The trap handling script above has output like this:

your.host.com 192.168.10.10
.1.3.6.1.2.1.1.3.0     = 0:0:00:07.30,
.1.3.6.1.6.3.1.1.4.1.0 = .1.3.6.1.6.3.1.1.5.1,
.1.3.6.1.6.3.18.1.3.0  = 168.24.80.51,
.1.3.6.1.6.3.18.1.4.0 = "YOUR-COMMUNITY",
.1.3.6.1.6.3.1.1.4.3.0 = .1.3.6.1.4.1.476.1.1.1.11

References:
- [SAGE] snmptrapd/snmptrap configs and examples?
  - From: Brent Chapman <Brent@GreatCircle.COM>

Prev by Date: Re: [SAGE] [sage-governance] - Another director's "sense of the board"
Next by Date: [SAGE] sage-members list
Prev by thread: [SAGE] snmptrapd/snmptrap configs and examples?
Next by thread: [SAGE] RE: [sage-governance] Jones request
Index(es):
- Date
- Thread