Using Zabbix to capture SNMP-Traps

Zabbix can be used to capture and log snmp traps. This is done by using a net-snmp-based snmp-trap daemon and a short handler script for received snmp traps.

This documentation is for zabbix >= 1.4.4 (or even >= 1.4). The snmp trap-handling there is different as in former versions. (The options for zabbix_sender have been changed for instance)

Install the package snmpd:

  apt-get update && apt-get install snmpd

Configure Debian's default options for snmpd in /etc/default/snmpd and change

  SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'

to

  SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid'

and

  TRAPDRUN=no

to

  TRAPDRUN=yes

Now, copy the trap handler perl script here to your zabbix-installation's bin-directory and add it to the list of trap handlers in /etc/snmp/snmptrapd.conf:

  traphandle default <your zabbix-installation>/bin/snmptrap.pl

Then restart snmpd:

  /etc/init.d/snmpd restart

The trap-daemon should be running and handling snmp traps now.

The perl-script located here will be our traphandler. Download it and put it in your zabbix's bin-directory (<your zabbix-installation>/bin/snmptrap.pl). Then you have to configure it:

• $onlyinteresting: Set this variable to “TRUE”, if you want the traphandler to filter out only relevant information from a trap. This relevant information consists of the host's uptime, the trap's oid, community and SMI-informations. Set it to “FALSE” to send each and every information received to the host.
• $zabbix_server: Configure the hostname/ip of your zabbix-server
• $zabbix_port: Configure the port of your zabbix-server
• $item: Configure the name of the snmptraps-item you've created above
• $wildcard_host: The name of the zabbix host, to which all traps should be sent, that cannot be sent to the real host
• $alltowildcard: Set this to “TRUE” to disable the check for the real host and send the trap to the wildcard host at all time
• $path_to_zabbix: Your zabbix installation directory
• $zabbix_sender: The program name of the zabbix_sender

Sadly zabbix currently doesn't support specifying a hostname or an ip-address when using zabbix_sender, one can only set the name of the host in zabbix. So there has to be a mapping between the received hostname or ip-address from the trap and the name of the host in zabbix.

There are a few options available here by configuring $mapping_method and (optionally) $mapping_option:

• $mapping_method = “hostname”: Just use the received hostname
• $mapping_method = “ip”: Just use the received ip-address
• $mapping_method = “hostname_nonfqdn”: Typically the hostname is received in a fqdn-form (host.subdomain.domain.tld). The name of the host in zabbix is specified as “host” though.
• $mapping_method = “regexp”: Use the regexp in “mapping_option”. The first group is the name of the host in zabbix.
• $mapping_method = “regexp_ip”: Same as above, but use the regexp on the received ip address

Besides these options you can use a mapping file ($mapping_method = “mapfile”) like this:

duffy.mydomain.com:firstserver
tweety.mydomain.com:secondserver

This way, the received hostname “duffy.mydomain.com” will be mapped to the name “firstserver” in zabbix. Put the filename of the mapping file into $mapping_option.

The same can be achieved for the ip addresses by using $mapping_method = “mapfile_ip”.

The traphandler below supports sending snmp trap information to host's items in zabbix or to a so-called wildcard-host. When a host, for which a trap is received doesn't exist in zabbix or any other error should occur, the trap is send to the wildcard-host.

Add a new template for the snmptraps-item, then add the snmptraps-item to it. Use this configuration for the new item:

• Type: ZABBIX trapper
• Key: snmptraps
• Type of information: Character

After that create a wildcard host or use another existent host (I've used the zabbix server itself) and add the new template to it. Then you can add the template to other existent hosts, which could probably send snmptraps.