Ad Widget

Collapse

Tweaks for using SNMP traps

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • rxm8028
    Member
    • Apr 2005
    • 45
    #1

    Tweaks for using SNMP traps

    I recently configured my Zabbix system to catch traps sent from some Windows 2000 servers. The traps have a very long numeric TrapOID, and as I was using the TrapOID as the KEY for my Item, I ran into a filed size limit in the database. Field item.key_ is only 64 characters long. I had to change it to 128.

    I used the TrapOID and HOSTNAME pulled from the trap itself to have snmptrap.sh tell zabbix_sender where to put the information in the zabbix database.

    I hate to make changes to the internals of a system, but this got me going, and now Zabbix can alert me of traps thrown from the Windows Server's Event Logs.
    Yay!

    Ross
    Tags: None
    • peter_field
      Member
      • Jun 2006
      • 71
      #2
      Meaning of MS OID's, and a script to convert it

      I have written a perl script to change the cryptic MS OID to a meaningful name. i.e.
      SNMPv2-SMI::enterprises.311.1.13.1.23.83.101.114.118.105. 99.101.32.67.111.110.116.114.111.108.32.77.97.110. 97.103.101.114.0.1073748860
      ->
      Service Control Manager.1073748860

      Which will get around the problem of changing the data size in MySQL.

      I changed snmptrapd to call the perl script directly. Hope this helps.

      I found this article somewhere on the net:

      To start with, the default base OID for the SNMP traps is defined as “1.3.6.1.4.1.311.1.13.1”, and all of the OID sequences in the event agent will use this base OID value (this can be overridden by changing the “BaseEnterpriseOID” registry key value if needed, although this should not be necessary). The “1.3.6.1.4.1” sequence is the “enterprise” branch of the public OID hierarchy, while “311” is the OID assigned to Microsoft Corporation, and “1” is the OID that Microsoft uses for “software”. The “13.1” OID pair represents the event log messages that are sent as SNMP traps, although there is no known authoritative reference for these OID values, and Microsoft did not provide definitive names for these values when asked (we have unilaterally defined them as “eventlog” and “evntagent” respectively, but they could be anything).

      The Event Traps

      The SNMP traps have additional OID values under the base OID that identify the named event source for the canonical Windows event. Specifically, these OID sequences indicate the length of the event source name, and also carry the ASCII values of each letter from that name. For example, events from the “DNS” source will have the OID sequence of “3.68.78.83” under the base OID described above, where “3” indicates that there are three characters in the name of the event source, with the ASCII decimal values of “68” (“D”), “78” (“N”), and “83” (“S”) respectively. Along these same lines, events from the “Security” event source are identified by the OID sequence of “8.83.101.99.117.114.105.116.121”, and so forth.

      The last OID in the full sequence indicates the canonical Windows event that was fired. Sometimes these OID values mirror the event number, but most of the time it is a calculated value of some kind. For example, the explicit OID for “logon failure” is “529”, which is the same value as the event identifier for the canonical event itself. On the other hand, the explicit OID for the NTP synchronization success event is “1113194531”, which is nothing at all like the canonical Windows event identifier. Because of this vagary, you will likely need to use some kind of network analyzer in order to determine which exact OID value will be generated.

      Most MIBs require naming contexts, but Microsoft does not provide any kind of naming or guidance here, so you will have to come up with your own. While most MIBs map single OID values to a logical name, this doesn’t work with the approach that Microsoft has taken, and you will instead need to map a sequence of relative values to a single name in order to manage categories. For example, you can define the relative OID sequence of “3 68 78 83” (without the dot-separators) as “w32Dns” (or something similar), and then define discrete children OID values with their own trap names. We have tried to be flexible and predictable here, using names like “w32LogonFailure” to indicate login failure errors, and we would encourage others to behave similarly in case their definitions leak out to the external world.

      ------------------------------------
      #!/usr/bin/perl

      $ZABBIX_SERVER='zabbix';
      $ZABBIX_PORT='10051';
      $ZABBIX_SENDER='/usr/local/bin/zabbix_sender';
      $HOST='snmp_traps';
      $KEY='snmp.trap.default';

      # KNOWN KEYS INCLUDE:
      # snmp.trap.ms.eventlog - Microsoft Event Log trap - configured via 'evntwin'

      chomp($hostname = <STDIN>);
      chomp($ip = <STDIN>);
      chomp($uptime = <STDIN>);
      chomp($oid = <STDIN>);

      if (substr($oid,0,61) eq 'SNMPv2-MIB::snmpTrapOID.0 SNMPv2-SMI::enterprises.311.1.13.1.') {
      $KEY='snmp.trap.ms.eventlog';
      @oids=split /\./, substr($oid,61);
      for $i (1 .. @oids[0]) {
      $oidnice=$oidnice . chr(@oids[$i]);
      }
      $oidnice=$oidnice . '.' . @oids[@oids[0]+2] . ':';
      } else {
      $oidnice=$oid;
      }

      $payload='';
      while (defined($line = <STDIN>)) {
      chomp($line);
      $line=substr($line,(index $line,' ')+1);
      $line=~s/\"//g;
      $payload=$payload . $line . ','
      }
      chop($payload);

      $str="$oidnice $payload";

      exec($ZABBIX_SENDER . ' ' . $ZABBIX_SERVER . ' ' . $ZABBIX_PORT . ' ' . HOST . ' ' . $KEY . " \"$str\"");

        Comment

        Previous template Next
        Working...