This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
manual:config:items:itemtypes:snmptrap [2015/09/21 14:43] richlv [Configuring Zabbix server/proxy] link to documentation about PrivateTmp |
manual:config:items:itemtypes:snmptrap [2021/01/27 19:24] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ==== - #3 SNMP traps ==== | + | ==== 3 SNMP traps ==== |
=== Overview === | === Overview === | ||
Line 18: | Line 18: | ||
- Zabbix SNMP trapper reads and parses the trap file | - Zabbix SNMP trapper reads and parses the trap file | ||
- For each trap Zabbix finds all "SNMP trapper" items with host interfaces matching the received trap address. Note that only the selected "IP" or "DNS" in host interface is used during the matching. | - For each trap Zabbix finds all "SNMP trapper" items with host interfaces matching the received trap address. Note that only the selected "IP" or "DNS" in host interface is used during the matching. | ||
- | - For each found item, the trap is compared to regex in "snmptrap[regex]". The trap is set as the value of **all** matched items. If no matching item is found and there is an "snmptrap.fallback" item, the trap is set as the value of that. | + | - For each found item, the trap is compared to regexp in "snmptrap[regexp]". The trap is set as the value of **all** matched items. If no matching item is found and there is an "snmptrap.fallback" item, the trap is set as the value of that. |
- If the trap was not set as the value of any item, Zabbix by default logs the unmatched trap. (This is configured by "Log unmatched SNMP traps" in Administration -> General -> Other.) | - If the trap was not set as the value of any item, Zabbix by default logs the unmatched trap. (This is configured by "Log unmatched SNMP traps" in Administration -> General -> Other.) | ||
Line 36: | Line 36: | ||
^ Description ^ Return value ^ Comments ^ | ^ Description ^ Return value ^ Comments ^ | ||
| ||| | | ||| | ||
- | ^snmptrap[regex] ||| | + | ^snmptrap[regexp] ||| |
- | | Catches all SNMP traps from a corresponding address that match the [[:manual/regular_expressions|regular expression]] specified in **regex** | SNMP trap | This item can be set only for SNMP interfaces. \\ This item is supported since Zabbix **2.0.0.**\\ //Note//: Starting with Zabbix 2.0.5, user macros and global regular expressions are supported in the parameter of this item key. | | + | | Catches all SNMP traps that match the [[:manual/regular_expressions|regular expression]] specified in **regexp**. If regexp is unspecified, catches any trap. | SNMP trap | This item can be set only for SNMP interfaces. \\ This item is supported since Zabbix **2.0.0.**\\ //Note//: Starting with Zabbix 2.0.5, user macros and global regular expressions are supported in the parameter of this item key. | |
| ||| | | ||| | ||
^snmptrap.fallback ||| | ^snmptrap.fallback ||| | ||
- | | Catches all SNMP traps from a corresponding address that were not caught by any of the snmptrap[] items for that interface | SNMP trap | This item can be set only for SNMP interfaces.\\ This item is supported since Zabbix **2.0.0.** | | + | | Catches all SNMP traps that were not caught by any of the snmptrap[] items for that interface. | SNMP trap | This item can be set only for SNMP interfaces.\\ This item is supported since Zabbix **2.0.0.** | |
- | <note>Multi-line regex matching is not supported at this time.</note> | + | <note>Multi-line regexp matching is not supported at this time.</note> |
Set the **Type of information** to be 'Log' for the timestamps to be parsed. Note that other formats such as 'Numeric' are also acceptable but might require a custom trap handler. | Set the **Type of information** to be 'Log' for the timestamps to be parsed. Note that other formats such as 'Numeric' are also acceptable but might require a custom trap handler. | ||
Line 63: | Line 63: | ||
<note tip>For the best performance, SNMPTT should be configured as a daemon using **snmptthandler-embedded** to pass the traps to it. See instructions for configuring SNMPTT in its homepage:\\ [[http://snmptt.sourceforge.net/docs/snmptt.shtml]]</note> | <note tip>For the best performance, SNMPTT should be configured as a daemon using **snmptthandler-embedded** to pass the traps to it. See instructions for configuring SNMPTT in its homepage:\\ [[http://snmptt.sourceforge.net/docs/snmptt.shtml]]</note> | ||
- | When SNMPTT is configured to receive the traps, configure SNMPTT to log the traps: | + | When SNMPTT is configured to receive the traps, configure ''snmptt.ini'': |
+ | - enable the use of the Perl module from the NET-SNMP package:\\ net_snmp_perl_enable = 1 | ||
- log traps to the trap file which will be read by Zabbix:\\ log_enable = 1\\ log_file = [TRAP FILE] | - log traps to the trap file which will be read by Zabbix:\\ log_enable = 1\\ log_file = [TRAP FILE] | ||
- set the date-time format:\\ date_time_format = %H:%M:%S %Y/%m/%d = [DATE TIME FORMAT] | - set the date-time format:\\ date_time_format = %H:%M:%S %Y/%m/%d = [DATE TIME FORMAT] | ||
- | Now format the traps for Zabbix to recognise them (edit snmptt.conf): | + | |
+ | <note warning>The %%"%%net-snmp-perl%%"%% package has been removed in RHEL/CentOS 8.0-8.2; re-added in RHEL 8.3. For more information, see the [[:manual/installation/known_issues#snmp_traps|known issues]].</note> | ||
+ | |||
+ | Now format the traps for Zabbix to recognize them (edit snmptt.conf): | ||
- Each FORMAT statement should start with "ZBXTRAP [address]", where [address] will be compared to IP and DNS addresses of SNMP interfaces on Zabbix. E.g.:\\ EVENT coldStart .1.3.6.1.6.3.1.1.5.1 "Status Events" Normal\\ FORMAT ZBXTRAP $aA Device reinitialized (coldStart) | - Each FORMAT statement should start with "ZBXTRAP [address]", where [address] will be compared to IP and DNS addresses of SNMP interfaces on Zabbix. E.g.:\\ EVENT coldStart .1.3.6.1.6.3.1.1.5.1 "Status Events" Normal\\ FORMAT ZBXTRAP $aA Device reinitialized (coldStart) | ||
- See more about SNMP trap format below. | - See more about SNMP trap format below. | ||
- | <note important>Do not use unknown traps - Zabbix will not be able to recognise them. Unknown traps can be handled by defining a general event in snmptt.conf:\\ EVENT general .* "General event" Normal</note> | + | <note important>Do not use unknown traps - Zabbix will not be able to recognize them. Unknown traps can be handled by defining a general event in snmptt.conf:\\ EVENT general .* "General event" Normal</note> |
== Configuring Perl trap receiver == | == Configuring Perl trap receiver == | ||
Line 80: | Line 84: | ||
Regexp modifier "/l" may not appear twice at (eval 2) line 1, at end of line | Regexp modifier "/l" may not appear twice at (eval 2) line 1, at end of line | ||
</note> | </note> | ||
+ | |||
+ | <note warning>net-snmp agent does not support AES256 with SNMPv3/USM.</note> | ||
== SNMP trap format == | == SNMP trap format == | ||
- | All customised perl trap receivers and SNMPTT trap configuration must format the trap in the following way: | + | All customized perl trap receivers and SNMPTT trap configuration must format the trap in the following way: |
**[timestamp] [the trap, part 1] ZBXTRAP [address] [the trap, part 2]**, where | **[timestamp] [the trap, part 1] ZBXTRAP [address] [the trap, part 2]**, where | ||
* [timestamp] - timestamp used for log items | * [timestamp] - timestamp used for log items | ||
Line 90: | Line 96: | ||
=== - System requirements === | === - System requirements === | ||
+ | |||
+ | == Large file support == | ||
+ | |||
+ | Zabbix has "Large file support" for SNMP trapper files. The maximum file size that Zabbix can read is 2^63 (8 EiB). Note that the filesystem may impose a lower limit on the file size. | ||
== Log rotation == | == Log rotation == | ||
Line 98: | Line 108: | ||
- The new data are parsed. If this was the rotated file, the file is closed and goes back to step 2. | - The new data are parsed. If this was the rotated file, the file is closed and goes back to step 2. | ||
- If there was no new data, Zabbix sleeps for 1 second and goes back to step 2. | - If there was no new data, Zabbix sleeps for 1 second and goes back to step 2. | ||
- | |||
- | <note important>The maximum log file size supported by Zabbix is 2 gigabytes. The log file must be rotated before reaching this limit.</note> | ||
== File system == | == File system == | ||
Line 108: | Line 116: | ||
- **zabbix_server.conf** - configure Zabbix to start SNMP trapper and set the trap file:\\ StartSNMPTrapper=1\\ SNMPTrapperFile=/tmp/my_zabbix_traps.tmp | - **zabbix_server.conf** - configure Zabbix to start SNMP trapper and set the trap file:\\ StartSNMPTrapper=1\\ SNMPTrapperFile=/tmp/my_zabbix_traps.tmp | ||
- **snmptrapd.conf** - add SNMPTT as the trap handler:\\ traphandle default snmptt | - **snmptrapd.conf** - add SNMPTT as the trap handler:\\ traphandle default snmptt | ||
- | - **snmptt.ini** - configure output file and time format:\\ log_file = /tmp/my_zabbix_traps.tmp\\ date_time_format = %H:%M:%S %Y/%m/%d | + | - **snmptt.ini** -\\ enable the use of the Perl module from the NET-SNMP package:\\ net_snmp_perl_enable = 1\\ configure output file and time format:\\ log_file = /tmp/my_zabbix_traps.tmp\\ date_time_format = %H:%M:%S %Y/%m/%d |
- **snmptt.conf** - define a default trap format: \\ EVENT general .* %%"General event"%% Normal\\ FORMAT ZBXTRAP $aA $ar | - **snmptt.conf** - define a default trap format: \\ EVENT general .* %%"General event"%% Normal\\ FORMAT ZBXTRAP $aA $ar | ||
- Create an SNMP item TEST:\\ Host's SNMP interface IP: 127.0.0.1\\ Key: %%snmptrap["General"]%%\\ Log time format: hh:mm:ss yyyy/MM/dd | - Create an SNMP item TEST:\\ Host's SNMP interface IP: 127.0.0.1\\ Key: %%snmptrap["General"]%%\\ Log time format: hh:mm:ss yyyy/MM/dd | ||
This results in: | This results in: | ||
- | - Command used to send a trap:\\ snmptrap -v 1 -c public 127.0.0.1 '.1.3.6.1.6.3.1.1.5.3' '0.0.0.0' 6 33 '55' .1.3.6.1.6.3.1.1.5.3 s "teststring000" | + | - Command used to send a trap:\\ snmptrap -v 1 -c public 127.0.0.1 '.1.3.6.1.6.3.1.1.5.3' '0.0.0.0' 6 33 '55' .1.3.6.1.6.3.1.1.5.3 s <nowiki>"teststring000"</nowiki> |
- The received trap:\\ 15:48:18 2011/07/26 .1.3.6.1.6.3.1.1.5.3.0.33 Normal %%"General event"%% localhost - ZBXTRAP 127.0.0.1 127.0.0.1 | - The received trap:\\ 15:48:18 2011/07/26 .1.3.6.1.6.3.1.1.5.3.0.33 Normal %%"General event"%% localhost - ZBXTRAP 127.0.0.1 127.0.0.1 | ||
- Value for item TEST:\\ 15:48:18 2011/07/26 .1.3.6.1.6.3.1.1.5.3.0.33 Normal %%"General event"%% localhost - 127.0.0.1 | - Value for item TEST:\\ 15:48:18 2011/07/26 .1.3.6.1.6.3.1.1.5.3.0.33 Normal %%"General event"%% localhost - 127.0.0.1 | ||
<note tip>This simple example uses SNMPTT as **traphandle**. For better performance on production systems, use embedded Perl to pass traps from snmptrapd to SNMPTT or directly to Zabbix.</note> | <note tip>This simple example uses SNMPTT as **traphandle**. For better performance on production systems, use embedded Perl to pass traps from snmptrapd to SNMPTT or directly to Zabbix.</note> | ||
+ | === - See also === | ||
+ | |||
+ | * [[https://blog.zabbix.com/snmp-traps-in-zabbix|Zabbix blog article on SNMP traps]] | ||
+ | * [[https://www.zabbix.org/wiki/Start_with_SNMP_traps_in_Zabbix|CentOS based SNMP trap tutorial on zabbix.org]] |