I recently configured a Zabbix 2.2 server running on CentOS 6.7 to accept SNMP traps using the following HOWTO located at https://www.zabbix.org/wiki/Start_wi...raps_in_Zabbix . I configured everything including the LLD for interface linkUp /linkDown traps. However I am running into a problem with the triggers expressions.
Here is a sample SNMP trap from when I was testing the overall configuration (IP addresses changed to protect the innocent):
14:47:51 2016/07/13 ZBXTRAP 1.1.1.1
PDU INFO:
notificationtype TRAP
version 0
receivedfrom UDP: [1.1.1.1]:63978->[1.1.1.1]
errorstatus 0
messageid 0
community zabbix
transactionid 8
errorindex 0
requestid 0
VARBINDS:
DISMAN-EVENT-MIB::sysUpTimeInstance type=67 value=Timeticks: (1379511676) 159 days, 15:58:
36.76
SNMPv2-MIB::snmpTrapOID.0 type=6 value=OID: IF-MIB::linkDown
IF-MIB::ifIndex.521 type=2 value=INTEGER: 521
IF-MIB::ifAdminStatus.521 type=2 value=INTEGER: 1
IF-MIB::ifOperStatus.521 type=2 value=INTEGER: 2
IF-MIB::ifName.521 type=4 value=STRING: "ge-0/0/10"
SNMP-COMMUNITY-MIB::snmpTrapAddress.0 type=64 value=IpAddress: 1.1.1.1
SNMP-COMMUNITY-MIB::snmpTrapCommunity.0 type=4 value=STRING: "zabbix"
SNMPv2-MIB::snmpTrapEnterprise.0 type=6 value=OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.3
9
The trigger expression is exactly as specified in the HOWTO:
{Template SNMP Interfaces:snmptrap["(IF-MIB::linkDown|IF-MIB::linkUp)(.|[[:space:]])*{#SNMPVALUE}"].str(linkDown)}=1
The problem I am running into is that the trap event that is received for ge-0/0/10 is also triggering ge-0/0/1. I believe this is because the extended regex doesn't have a closing match character, so the match for ge-0/0/1 interface is also grabbing the beginning of the ge-0/0/10 interface.
I believe the solution is to add a closing double quote to the regex match in order to terminate the ifName value at the appropriate place. However the Zabbix documentation for the extended regex is not clear to me on how to best handle character escapes properly, especially since it could affect the entire expression. I have no test environment, and the system owner is a little touchy on making random changes to production. Can anyone provide a little clarity on the correct way to add the properly escaped character into the expression?
Here is a sample SNMP trap from when I was testing the overall configuration (IP addresses changed to protect the innocent):
14:47:51 2016/07/13 ZBXTRAP 1.1.1.1
PDU INFO:
notificationtype TRAP
version 0
receivedfrom UDP: [1.1.1.1]:63978->[1.1.1.1]
errorstatus 0
messageid 0
community zabbix
transactionid 8
errorindex 0
requestid 0
VARBINDS:
DISMAN-EVENT-MIB::sysUpTimeInstance type=67 value=Timeticks: (1379511676) 159 days, 15:58:
36.76
SNMPv2-MIB::snmpTrapOID.0 type=6 value=OID: IF-MIB::linkDown
IF-MIB::ifIndex.521 type=2 value=INTEGER: 521
IF-MIB::ifAdminStatus.521 type=2 value=INTEGER: 1
IF-MIB::ifOperStatus.521 type=2 value=INTEGER: 2
IF-MIB::ifName.521 type=4 value=STRING: "ge-0/0/10"
SNMP-COMMUNITY-MIB::snmpTrapAddress.0 type=64 value=IpAddress: 1.1.1.1
SNMP-COMMUNITY-MIB::snmpTrapCommunity.0 type=4 value=STRING: "zabbix"
SNMPv2-MIB::snmpTrapEnterprise.0 type=6 value=OID: SNMPv2-SMI::enterprises.2636.1.1.1.2.3
9
The trigger expression is exactly as specified in the HOWTO:
{Template SNMP Interfaces:snmptrap["(IF-MIB::linkDown|IF-MIB::linkUp)(.|[[:space:]])*{#SNMPVALUE}"].str(linkDown)}=1
The problem I am running into is that the trap event that is received for ge-0/0/10 is also triggering ge-0/0/1. I believe this is because the extended regex doesn't have a closing match character, so the match for ge-0/0/1 interface is also grabbing the beginning of the ge-0/0/10 interface.
I believe the solution is to add a closing double quote to the regex match in order to terminate the ifName value at the appropriate place. However the Zabbix documentation for the extended regex is not clear to me on how to best handle character escapes properly, especially since it could affect the entire expression. I have no test environment, and the system owner is a little touchy on making random changes to production. Can anyone provide a little clarity on the correct way to add the properly escaped character into the expression?
Comment