Ad Widget

Collapse

Help required on configuring PORT flapping trigger based on snmp

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • zabbixfk
    Senior Member
    • Jun 2013
    • 256
    #1

    Help required on configuring PORT flapping trigger based on snmp

    Hi,

    I am trying to monitor a firewall based on snmp through zabbix. I followed below steps.

    1). Enabled snmp for zabbix server on firewall.
    2). Configured discovery for ifName with OID
    Code:
    .1.3.6.1.2.1.31.1.1.1.1
    3). Configured Item Prototypes based on respective OID's.

    Now i am able to see the snmp data published by firewall under Monitoring-> Latest Data.

    Then i configured trigger prototype , as direct configuring trigger is not possible since port up/down details are obtained using
    Code:
    ifOperStatus[{#SNMPVALUE}]
    under item prototypes. Configured trigger prototype as ,
    Name:
    Code:
    Operational Status on {HOST.HOST} -> {HOST.IP} : PortName:{#SNMPVALUE}, Value:{ITEM.VALUE1}
    Expression:
    Code:
    {ZBX-FORTINET-INTERFACES:ifOperStatus[{#SNMPVALUE}].diff(0)}>0
    Description: Triggered when Port status changed.
    Severity: High

    Now, this is triggered when port status changed on firewall.

    a). Is it a correct expression to say port up/down is observed?

    b). How do i configured email sending for this trigger prototype? ( I tried to get this under Configurations -> Actions , its showing only Host level. But i wanted based on trigger prototype.

    c). How do i add another trigger which says Port flapping , for example, for 5 mins, port status changed continuesly, and when it gets rectified ( say port is up now for 5 mins), and send an OKAY email.

    Any pointers are greatly helpful.

    Thanks
    Tags: None
    • zabbixfk
      Senior Member
      • Jun 2013
      • 256
      #2
      Help required on configuring PORT flapping trigger based on snmp

      *bump*

      I know this thread is close to 2+ years old, but still i am not able to get this working.
      I see two triggers for my expression.
      My trigger looks like this
      Code:
      {ZBX-FORTINET-INTERFACES:ifOperStatus[{#SNMPVALUE}].diff(0)}>0
      Value is been polled for every minute. When port goes down , it initiates an Problem email, and trigger says problem. Now next minute its still down, but trigger becomes OK and OK email sent.
      Then after sometime when i enable interface, trigger becomes PROBLEM, then next minute OK.
      Just wondering how can i keep only 2 events and one trigger.
      1). One when port becomes Down ( or Problem)
      2). Second port becomes UP ( or OK).
      So only two emails sent ( though only one action is created for sending email)

      Any pointers greatly helpful.

      Thanks

        Comment

        • Linwood
          Senior Member
          • Dec 2013
          • 398
          #3
          Originally posted by zabbixfk
          *bump*

          I know this thread is close to 2+ years old, but still i am not able to get this working.
          I see two triggers for my expression.
          My trigger looks like this
          Code:
          {ZBX-FORTINET-INTERFACES:ifOperStatus[{#SNMPVALUE}].diff(0)}>0
          Value is been polled for every minute. When port goes down , it initiates an Problem email, and trigger says problem. Now next minute its still down, but trigger becomes OK and OK email sent.
          Then after sometime when i enable interface, trigger becomes PROBLEM, then next minute OK.
          Just wondering how can i keep only 2 events and one trigger.
          1). One when port becomes Down ( or Problem)
          2). Second port becomes UP ( or OK).
          So only two emails sent ( though only one action is created for sending email)

          Any pointers greatly helpful.

          Thanks
          Fundamentally what your trigger says is "the Operational Status changed". You probably want it to say "The interface went down", right?

          I don't know the values off hand for up/down/etc., but let's say for the sake of argument that 0 is down and 1 is up, then:

          Code:
          {ZBX-FORTINET-INTERFACES:ifOperStatus[{#SNMPVALUE}].last()}=0
          will alert when the status is zero (by example = down), and stop alerting when it goes up.

          Now for interfaces this may not be adequate, as you may have interfaces that are always down. So you might want to combine conditions (I'm going to skip the whole thing and just abbreviate) like:

          last()=0 and last(#2)=1

          Will say "alert when it was previously up and is now down" (again, speculating about 0 and 1). HOWEVER, if it stays down this becomes false on the next poll as the last(#2) is now down, not up, so you add in trigger values:

          ({TRIGGER.VALUE}=0 and last()=0 and last(#2)=1) OR
          ({TRIGGER.VALUE}=1 and last()=0)

          Now this reads "alert when the status begins at one and goes to 0, but keep alerting so long as it stays at 0". As soon as it becomes 1 it stops alerting.

          The above is a form of the hysteresis techniques you will find written about for zabbix (google zabbix and hysteresis). The fundamental idea is to make the "stay" aspect less strict than the "start". by that I mean that a trigger of form:

          ({TRIGGER.VALUE}=0 and start-condition) OR
          ({TRIGGER.VALUE}=1 and keep-going-condition)

          You read these in English like "Initiate the trigger if start-condition is true and keep the alert going so long as keep-going-condition remains true". And generally speaking this means that "start condition" is in some way more strict than "keep-going condition".

          By the way, a typical mistake people make is to conflate that last part as some kind of a stop condition; it is not, it is a "keep going", so read it as "and keep alerting so long as" and never as "keep alerting until".

            Comment

            Previous template Next
            Working...