snmptt-developer Mailing List for SNMP Trap Translator

Hi Francois.

I removed the log_key_names option and replaced it with log_format.  You
can now define the log format for text logging and syslog.  It defaults to
'$O $s "$c" $A - $Fz' which matches the original format of 'trap-oid
severity category hostname - translated-trap'.  You can modify it to use
key pairs and also add the brackets if needed:

[Trap="$O" Severity="$s" Category="$c" Hostname="$A"] $Fz

When setting the rfc format to RFC5424, I can see in a Wireshark trace that
it includes 'Syslog app name: snmptt' while LOG_RFC3164 does not.  It's
still not a perfect match to what's in the article you mentioned.  I still
need to spend some time reviewing the article you sent and the RFC.

Alex

On Fri, 2 Apr 2021 at 18:47, Mikus, Francois via Snmptt-developer <
snm...@li...> wrote:

> Hey Alex,
>
> What you are proposing in your example is fine for the key value data.
> Having the common data as key=value pairs (or logfmt format) is the magic
> sauce. This will permit Splunk or Loki/LogQL to auto-parse all the fields.
>
> The Perl module you mentioned does not support RFC5424, but provides a way
> to send actual UDP syslog to a remote IP or a local socket so that is
> golden. The perl module will make sure it is correctly formatted with
> appropriate date hostname app-name * * so your software does not need to
> bother with it.
>
> RFC5424 is simply a transport format so that systems like Loki can ingest
> them directly, really not a big deal if you don't support it. It just means
> we continu to use an rsyslog or syslogng in front of it.
> The structured data of RFC5424 are simply quoted key= "value pair"
> enclosed in backets []. They ensure that the system at the other end can
> process them without any additional parsing.
> They are entirely optional in this case you do not need to force your key
> values into this structured section. This blog post has a good breakdown of
> the format: https://blog.datalust.co/seq-input-syslog/
>
> For example Loki will actually drop header information and structured data
> unless you explicitly tell it to actually assign it to a LABEL. (Meta data
> associated with the log message)
>
> The principle being stuff that SHOULD become meta-data is stuffed in the
> structured section and what is the actual message stays in the message
> section(key=value and regular unstructured message). That is what I
> understand of the format. And depending on where you are sending it, you
> might not actually want to index everything.. (ElasticSearch/Splunk versus
> Loki) So like anything related to logging, the answer is: it depends.
>
> But the having the structure you propose is really all we need. :)
>
> Cheers,
>
> X
> ---
>
> Hi Francois.
>
> Good suggestions.  I have added a new snmptt.ini option called
> log_key_names that may do what you are looking for:
>
> # Set to 1 to create key=value pairs for trap-OID, severity, category and
> # hostname for text logging and syslog.  Example:
> # Trap-OID=trap-OID Severity=severity Category=category Hostname=hostname
> # instead of
> # trap-OID severity category hostname
> log_key_names = 1
>
> I have also added remote syslog by using a new syslog module:
> Log::Syslog::Fast.  Have a look at the new snmptt.ini settings and let me
> know what you think.
>
> syslog_module
> syslog_remote_dest
> syslog_remote_port
> syslog_remote_proto
> syslog_rfc_format
> syslog_app
> syslog_system_app
>
> I haven't reviewed all of RFC5424 yet so I'm not sure if this is exactly
> what you were looking for.  I see that it mentions structured data for the
> key pairs but I'm not sure if I can make Trap-OID, Severity etc into
> official key pairs with the module I am using.
>
> Alex
>
> On Fri, 2 Apr 2021 at 10:24, Mikus, Francois via Snmptt-developer <
> snm...@li...<mailto:
> snm...@li...>> wrote:
> Minor improvements that can help integration with modern toolsets:
>
> 1 - Output the actual syslog fields: Date hostname snmptt * * trap-OID
> severity category hostname
>               Makes it easier to relay the correct information to the
> remote syslog without having to parse the message and re-extract the
> hostname.
>
> 2 - Be able to specify the "app" in the syslog output to indicate that it
> is from snmptt, or statically select snmptt as the source app.
>               Makes it easier to categorize in post-processing if the logs
> are mixed with others. I actually use an intermediate syslog program to
> reset the app to snmptt before forwarding.
>
> 3 - Provide an alternate output format option to regular syslog: RFC5424 +
> octet to a destination IP
> Include the octet-count at the start
> Set the date hostname/ip app * *
> Put the basic common values as key=values: trap-OID severity category
> hostname
> Put the FORMAT section as the message (not a key=value)
>
> This would make it much easier to integrate with Loki or anything else
> that consumes structured logs.
>
> Looking forward to version 1.5. Great work and great documentation.
>
> Cheers,
>
> X
>
> _______________________________________________
> Snmptt-developer mailing list
> Snm...@li...<mailto:
> Snm...@li...>
> https://lists.sourceforge.net/lists/listinfo/snmptt-developer<
> https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fsnmptt-developer&data=04%7C01%7CFrancois.Mikus%40stm.info%7C8b6d23fbd5904240f93108d8f61d6974%7C30e20154b9ea43ed8437fe236e83fa2e%7C0%7C1%7C637529953470973862%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=wZeVsoQRBkdVlfANL4fQ%2FS%2FN93jS2RUalBj61RhkirI%3D&reserved=0
> >
>
> _______________________________________________
> Snmptt-developer mailing list
> Snm...@li...
> https://lists.sourceforge.net/lists/listinfo/snmptt-developer
>

Hey Alex,

What you are proposing in your example is fine for the key value data.
Having the common data as key=value pairs (or logfmt format) is the magic sauce. This will permit Splunk or Loki/LogQL to auto-parse all the fields.

The Perl module you mentioned does not support RFC5424, but provides a way to send actual UDP syslog to a remote IP or a local socket so that is golden. The perl module will make sure it is correctly formatted with appropriate date hostname app-name * * so your software does not need to bother with it.

RFC5424 is simply a transport format so that systems like Loki can ingest them directly, really not a big deal if you don't support it. It just means we continu to use an rsyslog or syslogng in front of it.
The structured data of RFC5424 are simply quoted key= "value pair" enclosed in backets []. They ensure that the system at the other end can process them without any additional parsing.
They are entirely optional in this case you do not need to force your key values into this structured section. This blog post has a good breakdown of the format: https://blog.datalust.co/seq-input-syslog/

For example Loki will actually drop header information and structured data unless you explicitly tell it to actually assign it to a LABEL. (Meta data associated with the log message)

The principle being stuff that SHOULD become meta-data is stuffed in the structured section and what is the actual message stays in the message section(key=value and regular unstructured message). That is what I understand of the format. And depending on where you are sending it, you might not actually want to index everything.. (ElasticSearch/Splunk versus Loki) So like anything related to logging, the answer is: it depends.

But the having the structure you propose is really all we need. :)

Cheers,

X
---

Hi Francois.

Good suggestions.  I have added a new snmptt.ini option called log_key_names that may do what you are looking for:

# Set to 1 to create key=value pairs for trap-OID, severity, category and
# hostname for text logging and syslog.  Example:
# Trap-OID=trap-OID Severity=severity Category=category Hostname=hostname
# instead of
# trap-OID severity category hostname
log_key_names = 1

I have also added remote syslog by using a new syslog module:  Log::Syslog::Fast.  Have a look at the new snmptt.ini settings and let me know what you think.

syslog_module
syslog_remote_dest
syslog_remote_port
syslog_remote_proto
syslog_rfc_format
syslog_app
syslog_system_app

I haven't reviewed all of RFC5424 yet so I'm not sure if this is exactly what you were looking for.  I see that it mentions structured data for the key pairs but I'm not sure if I can make Trap-OID, Severity etc into official key pairs with the module I am using.

Alex

On Fri, 2 Apr 2021 at 10:24, Mikus, Francois via Snmptt-developer <snm...@li...<mailto:snm...@li...>> wrote:
Minor improvements that can help integration with modern toolsets:

1 - Output the actual syslog fields: Date hostname snmptt * * trap-OID severity category hostname
              Makes it easier to relay the correct information to the remote syslog without having to parse the message and re-extract the hostname.

2 - Be able to specify the "app" in the syslog output to indicate that it is from snmptt, or statically select snmptt as the source app.
              Makes it easier to categorize in post-processing if the logs are mixed with others. I actually use an intermediate syslog program to reset the app to snmptt before forwarding.

3 - Provide an alternate output format option to regular syslog: RFC5424 + octet to a destination IP
Include the octet-count at the start
Set the date hostname/ip app * *
Put the basic common values as key=values: trap-OID severity category hostname
Put the FORMAT section as the message (not a key=value)

This would make it much easier to integrate with Loki or anything else that consumes structured logs.

Looking forward to version 1.5. Great work and great documentation.

Cheers,

X

_______________________________________________
Snmptt-developer mailing list
Snm...@li...<mailto:Snm...@li...>
https://lists.sourceforge.net/lists/listinfo/snmptt-developer<https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fsnmptt-developer&data=04%7C01%7CFrancois.Mikus%40stm.info%7C8b6d23fbd5904240f93108d8f61d6974%7C30e20154b9ea43ed8437fe236e83fa2e%7C0%7C1%7C637529953470973862%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=wZeVsoQRBkdVlfANL4fQ%2FS%2FN93jS2RUalBj61RhkirI%3D&reserved=0>

Hi Francois.

Good suggestions.  I have added a new snmptt.ini option
called log_key_names that may do what you are looking for:

# Set to 1 to create key=value pairs for trap-OID, severity, category and
# hostname for text logging and syslog.  Example:
# Trap-OID=trap-OID Severity=severity Category=category Hostname=hostname
# instead of
# trap-OID severity category hostname
log_key_names = 1

I have also added remote syslog by using a new syslog
module:  Log::Syslog::Fast.  Have a look at the new snmptt.ini settings and
let me know what you think.

syslog_module
syslog_remote_dest
syslog_remote_port
syslog_remote_proto
syslog_rfc_format
syslog_app
syslog_system_app

I haven't reviewed all of RFC5424 yet so I'm not sure if this is exactly
what you were looking for.  I see that it mentions structured data for the
key pairs but I'm not sure if I can make Trap-OID, Severity etc into
official key pairs with the module I am using.

Alex

On Fri, 2 Apr 2021 at 10:24, Mikus, Francois via Snmptt-developer <
snm...@li...> wrote:

> Minor improvements that can help integration with modern toolsets:
>
> 1 - Output the actual syslog fields: Date hostname snmptt * * trap-OID
> severity category hostname
>               Makes it easier to relay the correct information to the
> remote syslog without having to parse the message and re-extract the
> hostname.
>
> 2 - Be able to specify the "app" in the syslog output to indicate that it
> is from snmptt, or statically select snmptt as the source app.
>               Makes it easier to categorize in post-processing if the logs
> are mixed with others. I actually use an intermediate syslog program to
> reset the app to snmptt before forwarding.
>
> 3 - Provide an alternate output format option to regular syslog: RFC5424 +
> octet to a destination IP
> Include the octet-count at the start
> Set the date hostname/ip app * *
> Put the basic common values as key=values: trap-OID severity category
> hostname
> Put the FORMAT section as the message (not a key=value)
>
> This would make it much easier to integrate with Loki or anything else
> that consumes structured logs.
>
> Looking forward to version 1.5. Great work and great documentation.
>
> Cheers,
>
> X
>
> _______________________________________________
> Snmptt-developer mailing list
> Snm...@li...
> https://lists.sourceforge.net/lists/listinfo/snmptt-developer
>

Minor improvements that can help integration with modern toolsets:

1 - Output the actual syslog fields: Date hostname snmptt * * trap-OID severity category hostname
              Makes it easier to relay the correct information to the remote syslog without having to parse the message and re-extract the hostname.

2 - Be able to specify the "app" in the syslog output to indicate that it is from snmptt, or statically select snmptt as the source app.
              Makes it easier to categorize in post-processing if the logs are mixed with others. I actually use an intermediate syslog program to reset the app to snmptt before forwarding.

3 - Provide an alternate output format option to regular syslog: RFC5424 + octet to a destination IP
Include the octet-count at the start
Set the date hostname/ip app * *
Put the basic common values as key=values: trap-OID severity category hostname
Put the FORMAT section as the message (not a key=value)

This would make it much easier to integrate with Loki or anything else that consumes structured logs.

Looking forward to version 1.5. Great work and great documentation.

Cheers,

X

Hi Team, 
Weobserved that the varbinds and snmptt variables are getting corrupted when thetrap has multiple lines in its var bind. As shown in the below example. But thesame trap when passed in the single line then we see no issues in the trap. Itwould be really helpful if you could help us on this.

########################### Actual Trap from Node#################

Module            : OTHER

Error Code         :901

Resource Id        : 1.6.321

Timestamp First    : Sun Oct 06 15:13:25 BDT2019

Repeated Counter   : 1

Timestamp Last     : Sun Oct 06 15:13:25BDT 2019

Model Description  : The server has shutdown.

ActiveDescription : Server10@1055.1234.34.18

Theserver has shutdown.

Detectedat host:glkl-p-tmm1.

Event Type         :6

Probable Cause     : 545

Severity          : critical

Orig Source IP     : 1034.74.4.17145622

Sequence Number    : 16

###################SNMPTT Debug Log#################################

 

Reading trap.  Current time: Thu Oct 10 18:19:29 2019

Symbolic trap variable name detected (The).  Willattempt to translate to a numerical OID

  Could not translate - Net-SNMP Perl module notenabled - will leave as-is

 

Symbolic trap variable name detected ().  Will attemptto translate to a numerical OID

  Could not translate - Net-SNMP Perl module notenabled - will leave as-is

 

 

Raw trap passed from snmptrapd:

<UNKNOWN>

UDP: [10.74.4.177]:161->[10.74.2.43]:162

.1.3.6.1.2.1.1.3.0 0:0:10:35.16

.1.3.6.1.6.3.1.1.4.1.0 .1.3.6.1.4.1.193.110.2.10.2.0.1

.1.3.6.1.4.1.193.110.2.666.1.1.2.1.6.5.79.84.72.69.82.901.6The server has shutdown.

.1.3.6.1.4.1.193.110.2.666.1.2.2.1.10.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14.1.6.360

.1.3.6.1.4.1.193.110.2.666.1.2.2.1.11.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14Server10@100.74.4.1

The server has shutdown.

Detected at host:cml-p-emm1.

.1.3.6.1.4.1.193.110.2.667.1.1.1.1.2.5.79.84.72.69.82.901.3environmentalAlarm

.1.3.6.1.4.1.193.110.2.667.1.1.1.1.3.5.79.84.72.69.82.901.3softwareProgramAbnormallyTerminated

.1.3.6.1.4.1.193.110.2.10.1.10.1.10.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14OTHER

.1.3.6.1.4.1.193.110.2.10.1.10.1.11.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14Wrong Type (should be Gauge32 or Unsigned32): 901

.1.3.6.1.4.1.193.110.2.10.1.10.1.12.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14critical

.1.3.6.1.4.1.193.110.2.10.1.10.1.2.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.142019-10-10,18:19:35.1,+6:0

.1.3.6.1.4.1.193.110.2.10.1.10.1.16.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14ipv4

.1.3.6.1.4.1.193.110.2.10.1.10.1.17.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14"10.72234.43.1822"

.1.3.6.1.4.1.193.110.2.10.1.10.1.18.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.1414

 

Items passed from snmptrapd:

value 0: 10.74.4.177

 

value 1: 10.74.4.177

 

value 2: .1.3.6.1.2.1.1.3.0

 

value 3: 0:0:10:35.16

 

value 4: .1.3.6.1.6.3.1.1.4.1.0

 

value 5: .1.3.6.1.4.1.193.110.2.10.2.0.1

 

value 6:.1.3.6.1.4.1.193.110.2.666.1.1.2.1.6.5.79.84.72.69.82.901.6

 

value 7: The server has shutdown.

 

value 8:.1.3.6.1.4.1.193.110.2.666.1.2.2.1.10.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14

 

value 9: .1.6.360

 

value 10:.1.3.6.1.4.1.193.110.2.666.1.2.2.1.11.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14

 

value11: Server10@10.74.4.182

 

value12: The

 

value13: server has shutdown.

 

value 14:

 

value 15: Detected at host:cml-p-emm1.

 

value 16: .1.3.6.1.4.1.193.110.2.667.1.1.1.1.2.5.79.84.72.69.82.901.3

 

value 17: environmentalAlarm

 

value 18:.1.3.6.1.4.1.193.110.2.667.1.1.1.1.3.5.79.84.72.69.82.901.3

 

value 19: softwareProgramAbnormallyTerminated

 

value 20:.1.3.6.1.4.1.193.110.2.10.1.10.1.10.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14

 

value 21: OTHER

value 22:.1.3.6.1.4.1.193.110.2.10.1.10.1.11.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14

 

value 23: Wrong Type (should be Gauge32 or Unsigned32): 901

 

value 24:.1.3.6.1.4.1.193.110.2.10.1.10.1.12.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14

 

value 25: critical

 

value 26:.1.3.6.1.4.1.193.110.2.10.1.10.1.2.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14

 

value 27: 2019-10-10,18:19:35.1,+6:0

 

value 28:.1.3.6.1.4.1.193.110.2.10.1.10.1.16.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14

 

value 29: ipv4

 

value 30:.1.3.6.1.4.1.193.110.2.10.1.10.1.17.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14

 

value 31: 10.74.4.182

 

value 32:.1.3.6.1.4.1.193.110.2.10.1.10.1.18.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14

 

value 33: 14

 

Agent IP address was blank, so setting to the same as thehost IP address of 10.74.4.177

 

Agent IP address (10.74.4.177) is the same as the host IP,so copying the host name: 10.74.4.177

 

Trap received from 10.74.4.177:.1.3.6.1.4.1.193.110.2.10.2.0.1

0:             hostname

1:             ip address

2:             uptime

3:             trapname / OID

4:             ip address from trap agent

5:             trap community string

6:             enterprise

7:             securityEngineID       (snmptthandler-embedded required)

8:             securityName           (snmptthandler-embedded required)

9:             contextEngineID        (snmptthandler-embedded required)

10:            contextName            (snmptthandler-embedded required)

0+:            passed variables

Value 0: 10.74.4.177

 

Value 1: 10.74.4.177

 

Value 2: 0:0:10:35.16

 

Value 3: .1.3.6.1.4.1.193.110.2.10.2.0.1

 

Value 4: 10.74.4.177

 

Value 5:

 

Value 6:

 

Value 7:

 

Value 8:

 

Value 9:

 

Value 10:

 

Agent dns name: 10.74.4.177

 
Ent Value 0 ($1):.1.3.6.1.4.1.193.110.2.666.1.1.2.1.6.5.79.84.72.69.82.901.6=The server hasshutdown.Ent Value 1 ($2):.1.3.6.1.4.1.193.110.2.666.1.2.2.1.10.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14=.1.6.360EntValue 2 ($3): .1.3.6.1.4.1.193.110.2.666.1.2.2.1.11.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14=Server10@10.74.4.182EntValue 3 ($4): The=server has shutdown.EntValue 4 ($5): =Detected at host:cml-p-emm1.Ent Value 5 ($6):.1.3.6.1.4.1.193.110.2.667.1.1.1.1.2.5.79.84.72.69.82.901.3=environmentalAlarmEnt Value 6 ($7):.1.3.6.1.4.1.193.110.2.667.1.1.1.1.3.5.79.84.72.69.82.901.3=softwareProgramAbnormallyTerminatedEnt Value 7 ($8):.1.3.6.1.4.1.193.110.2.10.1.10.1.10.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14=OTHEREnt Value 8 ($9):.1.3.6.1.4.1.193.110.2.10.1.10.1.11.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14=WrongType (should be Gauge32 or Unsigned32): 901Ent Value 9 ($10):.1.3.6.1.4.1.193.110.2.10.1.10.1.12.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14=criticalEnt Value 10 ($11):.1.3.6.1.4.1.193.110.2.10.1.10.1.2.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14=2019-10-10,18:19:35.1,+6:0Ent Value 11 ($12):.1.3.6.1.4.1.193.110.2.10.1.10.1.16.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14=ipv4Ent Value 12 ($13):.1.3.6.1.4.1.193.110.2.10.1.10.1.17.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14=10.74.4.182Ent Value 13 ($14):.1.3.6.1.4.1.193.110.2.10.1.10.1.18.5.79.84.72.69.82.11.7.227.10.10.18.19.35.1.43.6.0.14=14
Br,Animesh

Hi,



In my Organization, there is a  requirement to perform testing on SNMPTT. I have been exploring on web to find an existing test suite for SNMPTT but couldn't find any. It would be very helpful if someone can confirm if any such test suite exist? Also, is there is a process to follow to contribute to the existing SNMPTT code base? If yes, where can I find the details?

Thanks,
Shivharsh

I am trying to get regex replacements to work with nagios

I have allow unsafe regex turned on in snmptt.ini

This is the trap in snmp.conf -

#
EVENT cbgpFsmStateChange .1.3.6.1.4.1.9.9.187.0.1 "Status Events" CRITICAL
FORMAT The BGP cbgpFsmStateChange notification is generated $*
EXEC /usr/local/bin/snmptraphandling.py "$r" "Traps - BGP" "$s" "$@" "$-*" "BGP state change from test $4 to $2 Error: $1 $3 "
REGEX (established) (<strong style='color:green'>established</strong>)
REGEX (active) (<strong style='color:orange'>active</strong>)
REGEX (idle) (<strong style='color:red'>idle</strong>)
SDESC
The BGP cbgpFsmStateChange notification is generated
for every BGP FSM state change. The bgpPeerRemoteAddr
value is attached to the notification object ID.
Variables:
  1: bgpPeerLastError
  2: bgpPeerState
  3: cbgpPeerLastErrorTxt
  4: cbgpPeerPrevState
EDESC
#

The idea is that it would colourize the words using html, but the regex is not changing the message at all, I've tried just putting test-

REGEX (established) (test)
REGEX (active) (test)
REGEX (idle) (test)

Just in case it didn't like the special chars but this also didn't work.

I even tried changing a word that always appears in the message but that didn't work either-

REGEX (BGP) (testBGPtest)


Any ideas?


Thanks,
Rick

CONFIDENTIAL:

The information transmitted is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Whilst we take reasonable precautions to minimise risk, you must carry out your own virus checks before opening attachments or reading e-mails and we do not accept liability for any damage or loss in this respect. This e-mail and its attachments may be subject to copyright protection and you should not retransmit or reproduce these without the consent of the author. Non-business related content is not authorised by us and we shall not be liable for it. We are also not responsible for changes made or occurring after this message was sent.

Options Technology Ltd.
4th Floor,
Portland House,
Bressenden Place,
London,
SW1E 5BH
Tel: +44 20 7070 5000 Fax: +44 20 7070 5001

Options Information Technology LLC
850 3rd Avenue, 9th Floor,
New York, NY 10022.
Tel: 646 205 2500 Fax: 646 205 2501

Options Technology (Asia) Ltd.
17/F Wheelock House,
20 Pedder Street, Central, Hong Kong
Tel: +852 3166 5000 Fax: +852 3166 5001

http://www.options-it.com

Hi,

I am using snmptt v1.4.

When I receive a trap from a device, snmptt  $# shows 3. But when I capture packets using tcpdump, it shows 14 items.

Does anybody have similar experience?

Thanks
Nobuo

SNMPTT 1.4 Beta 1 has been released.  Please report any issues to this list.

What's New:

* Added snmptt.ini option net_snmp_perl_cache_enable to enable caching of
Net-SNMP Perl module OID and ENUM translations.  This may speed up
translations and reduce CPU load when net_snmp_perl_enable and translate_*
options are enabled.
* Fixed bug with snmptthandler-embedded where IP addresses and OIDs were
not being detected properly because they contained 'OID:', 'IpAddress:' etc.
* Fixed bug with MATCH.  The PREEXEC $p variable could not be used with
MATCH.  PREEXEC is now executed first if MATCH contains $p.
* Fixed bug with syslog.  Log entries were supposed to be logged with
snmptt[pid] but instad of the pid it was actually the effective user ID
(2980512).
* Fixed bug where the hostname is not detected properly when snmptrapd is
configured to not use DNS.
* Fixed bug where if the spool directory is not defined, files may be
deleted from the wrong folder (3020696).
* Fixed bug with syslog logging.  Function was not being called properly
(3166749).
* Fixed bug with MATCH where number ranges were not working (3397982).
* Fixed bug with multi-line traps (2915658).
* Fixed bug with LOGONLY severity.  EXEC was being executed even if the
trap had a severity of LOGONLY (3567744).
* Fixed bug with snmptt hanging if the log message sent to syslog contained
a % symbol.  All %'s are now escaped before sending to syslog (3567748).
* Fixed possible bug with MySQL.  Put CONNECT string on one line.
* Fixed bug with not being able to write to the debug log file when running
snmptt as non-root if the debug file didn't already exist with the correct
permissions at startup.  The ownership of snmptt.debug is now set to
daemon_uid before switching to the new uid.  Patch 3423525.
* Installation documentation updates (bug 3425999).

Download:
https://sourceforge.net/projects/snmptt/files/snmptt/snmptt_1.4beta1/

Oops, didn't catch that one was already available. Disregard previous
message.

On Thu, Apr 21, 2011 at 5:25 PM, Alan Ivey <al...@ec...> wrote:

> I've created a spec file to build an SNMPtt RPM. I've tested this on CentOS
> 5.5 64-bit.
>
> Name:           snmptt
> Version:        1.3
> Release:        1%{?dist}
> Summary:        SNMP Trap Translator is an SNMP trap handler for use with
> the Net-SNMP / UCD-SNMP snmptrapd program
>
> Group:          Applications/Internet
> License:        GPLv2+
> URL:            http://snmptt.sourceforge.net/
> Source0:
> http://downloads.sourceforge.net/%{name}/%{name}_%{version}.tgz
> BuildRoot:      %{_tmppath}/%{name}_%{version}
> BuildArch:      noarch
>
> Requires:       net-snmp
>
> %description
> SNMPTT (SNMP Trap Translator) is an SNMP trap handler written in Perl for
> use
> with the Net-SNMP / UCD-SNMP snmptrapd program (www.net-snmp.org). SNMPTT
> supports Linux, Unix and Windows. Many network devices including but not
> limited to network switches, routers, remote access servers, UPSs, printers
>
> and operating systems such as Unix and Windows NT have the ability to send
> notifications to an SNMP manager running on a network management station.
> The
> notifications can be either SNMP Traps, or SNMP Inform messages. The
> notification can contain a wide array of information such as port failures,
>
> link failures, access violations, power outages, paper jams, hard drive
> failures etc. The MIB (Management Information Base) available from the
> vendor
> determines the notifications supported by each device.
>
>
> %prep
> %setup -q -n %{name}_%{version}
>
> %build
>
> %install
> rm -rf $RPM_BUILD_ROOT
> mkdir -p ${RPM_BUILD_ROOT}%{_sbindir}
> mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/snmp
> mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log/snmptt
> mkdir -p ${RPM_BUILD_ROOT}%{_initrddir}
> mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/spool/snmptt
> mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d
> install -m 0755 -d ${RPM_BUILD_ROOT}%{_sysconfdir}/snmp
> install -m 0755 -d ${RPM_BUILD_ROOT}%{_localstatedir}/log/snmptt
> install -m 0755 -d ${RPM_BUILD_ROOT}%{_localstatedir}/spool/snmptt
> install -m 0755 snmptt ${RPM_BUILD_ROOT}%{_sbindir}/snmptt
> install -m 0755 snmptthandler ${RPM_BUILD_ROOT}%{_sbindir}/snmptthandler
> install -m 0755 snmpttconvert ${RPM_BUILD_ROOT}%{_sbindir}/snmpttconvert
> install -m 0755 snmpttconvertmib
> ${RPM_BUILD_ROOT}%{_sbindir}/snmpttconvertmib
> install -m 0644 examples/snmptt.conf.generic
> ${RPM_BUILD_ROOT}%{_sysconfdir}/snmp/snmptt.conf
> install -m 0644 snmptt.ini ${RPM_BUILD_ROOT}%{_sysconfdir}/snmp/snmptt.ini
> install -m 0755 snmptt-init.d ${RPM_BUILD_ROOT}%{_initrddir}/snmptt
> install -m 0644 snmptt.logrotate
> ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/snmptt
>
> %clean
> rm -rf $RPM_BUILD_ROOT
>
> %post
> echo ""
> echo "Add the service using chkconfig:
> chkconfig --add snmptt
>
> Configure the service to start at runlevel 2345:
> chkconfig --level 2345 snmptt on
>
> Snmptt will be started at the next reboot, or can be started immediately
> with:
> service snmptt start
> or
> /etc/rc.d/init.d/snmptt start
>
> To manually start snmptt, use:
> snmptt --daemon"
>
> %files
> %defattr(-,root,root,-)
> %dir %{_sysconfdir}/snmp
> %dir %{_localstatedir}/log/snmptt
> %dir %{_localstatedir}/spool/snmptt
> %config(noreplace) %{_sysconfdir}/snmp/snmptt.conf
> %config(noreplace) %{_sysconfdir}/snmp/snmptt.ini
> %{_sbindir}/snmptt
> %{_sbindir}/snmptthandler
> %{_sbindir}/snmpttconvert
> %{_sbindir}/snmpttconvertmib
> %{_initrddir}/snmptt
> %{_sysconfdir}/logrotate.d/snmptt
>
> %changelog
> * Thu Apr 21 2011 Alan Ivey <al...@ec...> - 1.3-1
> - First RPM
>
>
>
> --
> Alan Ivey
> Systems Administrator, EchoDitto
> al...@ec...
> 202-285-9455 ext 115
> AIM: echodittoalan
>
>
>
>
>
>
>
>


-- 
Alan Ivey
Systems Administrator, EchoDitto
al...@ec...
202-285-9455 ext 115
AIM: echodittoalan

I've created a spec file to build an SNMPtt RPM. I've tested this on CentOS
5.5 64-bit.

Name:           snmptt
Version:        1.3
Release:        1%{?dist}
Summary:        SNMP Trap Translator is an SNMP trap handler for use with
the Net-SNMP / UCD-SNMP snmptrapd program

Group:          Applications/Internet
License:        GPLv2+
URL:            http://snmptt.sourceforge.net/
Source0:
http://downloads.sourceforge.net/%{name}/%{name}_%{version}.tgz
BuildRoot:      %{_tmppath}/%{name}_%{version}
BuildArch:      noarch

Requires:       net-snmp

%description
SNMPTT (SNMP Trap Translator) is an SNMP trap handler written in Perl for
use
with the Net-SNMP / UCD-SNMP snmptrapd program (www.net-snmp.org). SNMPTT
supports Linux, Unix and Windows. Many network devices including but not
limited to network switches, routers, remote access servers, UPSs, printers
and operating systems such as Unix and Windows NT have the ability to send
notifications to an SNMP manager running on a network management station.
The
notifications can be either SNMP Traps, or SNMP Inform messages. The
notification can contain a wide array of information such as port failures,
link failures, access violations, power outages, paper jams, hard drive
failures etc. The MIB (Management Information Base) available from the
vendor
determines the notifications supported by each device.


%prep
%setup -q -n %{name}_%{version}

%build

%install
rm -rf $RPM_BUILD_ROOT
mkdir -p ${RPM_BUILD_ROOT}%{_sbindir}
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/snmp
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log/snmptt
mkdir -p ${RPM_BUILD_ROOT}%{_initrddir}
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/spool/snmptt
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d
install -m 0755 -d ${RPM_BUILD_ROOT}%{_sysconfdir}/snmp
install -m 0755 -d ${RPM_BUILD_ROOT}%{_localstatedir}/log/snmptt
install -m 0755 -d ${RPM_BUILD_ROOT}%{_localstatedir}/spool/snmptt
install -m 0755 snmptt ${RPM_BUILD_ROOT}%{_sbindir}/snmptt
install -m 0755 snmptthandler ${RPM_BUILD_ROOT}%{_sbindir}/snmptthandler
install -m 0755 snmpttconvert ${RPM_BUILD_ROOT}%{_sbindir}/snmpttconvert
install -m 0755 snmpttconvertmib
${RPM_BUILD_ROOT}%{_sbindir}/snmpttconvertmib
install -m 0644 examples/snmptt.conf.generic
${RPM_BUILD_ROOT}%{_sysconfdir}/snmp/snmptt.conf
install -m 0644 snmptt.ini ${RPM_BUILD_ROOT}%{_sysconfdir}/snmp/snmptt.ini
install -m 0755 snmptt-init.d ${RPM_BUILD_ROOT}%{_initrddir}/snmptt
install -m 0644 snmptt.logrotate
${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/snmptt

%clean
rm -rf $RPM_BUILD_ROOT

%post
echo ""
echo "Add the service using chkconfig:
chkconfig --add snmptt

Configure the service to start at runlevel 2345:
chkconfig --level 2345 snmptt on

Snmptt will be started at the next reboot, or can be started immediately
with:
service snmptt start
or
/etc/rc.d/init.d/snmptt start

To manually start snmptt, use:
snmptt --daemon"

%files
%defattr(-,root,root,-)
%dir %{_sysconfdir}/snmp
%dir %{_localstatedir}/log/snmptt
%dir %{_localstatedir}/spool/snmptt
%config(noreplace) %{_sysconfdir}/snmp/snmptt.conf
%config(noreplace) %{_sysconfdir}/snmp/snmptt.ini
%{_sbindir}/snmptt
%{_sbindir}/snmptthandler
%{_sbindir}/snmpttconvert
%{_sbindir}/snmpttconvertmib
%{_initrddir}/snmptt
%{_sysconfdir}/logrotate.d/snmptt

%changelog
* Thu Apr 21 2011 Alan Ivey <al...@ec...> - 1.3-1
- First RPM



-- 
Alan Ivey
Systems Administrator, EchoDitto
al...@ec...
202-285-9455 ext 115
AIM: echodittoalan

SNMPTT 1.3 has been released.

What's new:

* Added snmptthandler-embedded - a Net-SNMP snmptrapd embedded Perl 
version of snmptthandler.
* Added variable substitutions $Be, $Bu, $BE and $Bn for SNMPv3 
securityEngineID, securityName, contextEngineID and contextName 
(requires snmptthandler-embedded handler).
* Added snmptt.ini option duplicate_trap_window variable for duplicate 
trap detection.
* Added LSB init keywords and actions to snmptt-init.d and changed the 
priority for start / stop so that it starts after snmptrapd and stops 
before snmptrapd.
* Changed the default log path to /var/log/snmptt for Unix and 
c:\snmpt\log for Windows to make it easier to grant write permission to 
the snmptt process.
* Changed umask for log files to 002 to ensure they are not created as 
world writable.
* Fixed a bug where the the PID file was being created using the parent 
(root) PID instead of the child (daemon_uid) when daemon_uid is used.
* The DEBUG log file will now be re-opened when a HUP signal is sent.
* When debugging is enabled, flush buffers every sleep cycle so we can 
tail the debug log file.
* Don't print messages to the console when starting in daemon mode 
unless debugging is enabled or an error occurs.
* 'Could not open debug output file!' is no longer reported when 
debugging is disabled.
* Added snmptt.logrotate file from Ville Skytta.
* Fixed a bug (1748512) with handling escaped quotes in a trap message.
* Updated snmptt-net-snmp-test to test MIB descriptions.
* SNMPTTConvertMIB: Fixed a bug (1678270) where a TRAP-TYPE / 
NOTIFICATION-TYPE line would not translate if it was split

Download: https://sourceforge.net/projects/snmptt/files/

Alex

Hi Mark.

Mark Seger wrote:
> I just did a brand new install of net-snmp-5.4.1.tar.gz  and 
> snmptt_1.2.tgz on a rhel5.1 system.  When I try to start snmptt, I get 
> the following error:
.
.
> I created symlinks to libnetsnmp.so.15  in /usr/lib and /usr/lib64 (just 
> to be safe) and it did manage to start.  Is this a problem with the 
> installation on libnetsnmp?

Yes, it sounds like a problem with Net-SNMP install.  Can you post this 
to the Net-SNMP-Users mail list?

http://www.net-snmp.org/support/mailinglists.html

Alex

I just did a brand new install of net-snmp-5.4.1.tar.gz  and 
snmptt_1.2.tgz on a rhel5.1 system.  When I try to start snmptt, I get 
the following error:

[root@cag-dl585-01 net-snmp-5.4.1]# service snmptt start
Starting snmptt: Config file /usr/local/etc/snmp/snmptt.ini loaded
Can't load 
'/usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/auto/NetSNMP/default_store/default_store.so' 
for module NetSNMP::default_store: libnetsnmp.so.15: cannot open shared 
object file: No such file or directory at 
/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/DynaLoader.pm line 230.
 at /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/SNMP.pm 
line 16
Compilation failed in require at 
/usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/SNMP.pm line 16.
BEGIN failed--compilation aborted at 
/usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/SNMP.pm line 16.
Compilation failed in require at (eval 6) line 1.

Could not load the Perl module SNMP!  If net_snmp_perl_enable is
enabled then the SNMP module is required.  Please see snmptt.html
for system requirements.  Note:  SNMPTT uses the Net-SNMP package's
SNMP module, NOT the CPAN Net::SNMP module!

However, SNMP.pm is there.  It sounds like the message is saying it 
can't find libnetsnmp.so but it is:

[root@cag-dl585-01 net-snmp-5.4.1]# find / | grep netsnmp.so
/usr/local/net-snmp-5.4.1/snmplib/.libs/libnetsnmp.so.15
/usr/local/net-snmp-5.4.1/snmplib/.libs/libnetsnmp.so.15.1.0
/usr/local/net-snmp-5.4.1/snmplib/.libs/libnetsnmp.so
/usr/local/lib/libnetsnmp.so.15
/usr/local/lib/libnetsnmp.so.15.1.0
/usr/local/lib/libnetsnmp.so
/usr/lib64/libnetsnmp.so.10
/usr/lib64/libnetsnmp.so.10.0.1
/usr/lib/libnetsnmp.so.10
/usr/lib/libnetsnmp.so.10.0.1

I created symlinks to libnetsnmp.so.15  in /usr/lib and /usr/lib64 (just 
to be safe) and it did manage to start.  Is this a problem with the 
installation on libnetsnmp?

-mark

All,
  I've created a patch and documentation for a proposed new syntax
line for SNMPTT  called FACILITY.  Facilities would represent really
any single part of a monitored system that a user wanted to group
traps under, but the expressed purpose is to group traps for physical
components or alarm types of a monitored device.
  For instance, a facility might group traps for a specific network
interface, a specific power-supply, a device's power-supply subsystem
or temperature status.  I'm using the patched copy of SNMPTT so that I
can consolidate, and automatically clear/escalate alarms in a MySQL
database.
  FACILITY syntax lines work just about the same as FORMAT lines, but
can be used for a different purpose.  Although, the "category" field
fills a similar role, it is static, and wouldn't be able to represent
facilities identified by bind variables.
  An alternative solution (alternative to facilities) could be to
parse a portion of the FORMAT output, but this would require some
undocumented consistency, and seemed a bit hacky.
  If you're interested in the changes, please check out my
documentation and source for them at my wiki:
http://wiki.i-x.net/display/nagios/facilities.  I'm very interested in
any comments and suggestions.

Thanks,
Aaron Spiegel

What's new:

- When daemon_uid is used, two processes will now be spawned. The first 
process will be run as the same user that started SNMPTT (which should 
be root). The second will run as the daemon_uid user. This was changed 
so that SNMPTT could properly clean up the pid file on exit.
- Added snmptt.ini option pid_file to allow for custom pid file 
locations when running in daemon mode.
- Fixed bug where pid file did not contain the current pid of snmptt.
- Added snmptt.ini options date_format, time_format, date_time_format, 
date_time_format_sql and stat_time_format_sql to allow the output format 
for $x and $X substitution variables, and the format of the date/time 
for text logs and SQL to be changed using strftime() variables. This 
allows for proper date/time data types to be used in SQL databases.
- Added logging of trap statistics to a SQL table. Added 
*table_statistics snmptt.ini variable to define the table to be used.
- Added ability to add custom columns to *_table and *_table_unknown 
tables. Added sql_custom_columns and sql_custom_columns_unknown 
snmptt.ini options.
- Added snmptt.ini option unknown_trap_exec_format to allow custom 
output with substitutions.
- Added the ability to log system messages to a text file in addtion to 
the existing syslog and Event Log.  Added snmptt.ini options log_system 
and log_system_file.
- Added a work-around to the Net-SNMP v5.4 traphandle bug (1638225) 
where the host name was set to <UNKNOWN>. When detected, SNMPTT will use 
the host IP address instead.
- Added a $H variable substitution to give the host name of the computer 
that is running SNMPTT, or a user defined value specified in the new 
snmptt_system_name snmptt.ini option.
- Added MATCH support for bitwise AND
- Added snmptt.ini option exec_escape to escape wildards (- and ?) in 
EXEC, PREEXEC and the unknown_trap_exec commands. This is enabled by 
default for Linux and Unix (or anything non-Windows) to prevent the 
wildcards from being expanded by the shell.
- Moved unknown_trap_exec to Exec section in snmptt.ini.
- Added 'use strict' pragma in source code.
- Experimental:  Added threads (Perl ithreads) support for EXEC. When 
enabled, EXEC commands will launch in a thread to allow SNMPTT to 
continue processing other traps. Added snmptt.ini options threads_enable 
and threads_max.
- Fixed bug where snmptt tried to log to syslog when changing UIDs even 
if syslog_system_enable was set to 0.
- Fixed a bug in REGEX with handling of captures.  Text::Balanced module 
is now required.
- Fixed a bug under Windows where SNMPTT was trying to log to syslog 
instead of the event log.
- Fixed a bug where SNMPTT was attempting to log to syslog / eventlog 
when using the --time option.
- Fixed a bug in MATCH where the i modifier was not handled correctly.
- Added information to Nagios section of documentation for using SNMP 
traps as heartbeats by using freshness checks.
- Added information to Nagios section of documentation for using 
freshness checks to automatically clear trap alerts.
- SNMPTTConvertMIB:
   o Fixed a bug (1438794) where a TRAP-TYPE / NOTIFICATION-TYPE line 
would not translate if it was split across two lines.
   o Fixed a bug (1438394) where ARGUMENTS lines that have $1, $2 etc 
instead of %0, %1 would not translate.
   o Fixed a bug where a --#SEVERITYMAP line would be used instead of 
--#SEVERITY.


Download: http://sourceforge.net/project/showfiles.php?group_id=51473

Alex

SNMPTT v1.1 has been released.

What's new in v1.1:

- Added PREEXEC snmptt.conf file option to allow an external program to 
be run before processing the FORMAT and EXEC lines. The output of the 
external program is stored in the $pn variable where n is a number 
starting from 1. Multiple PREEXEC lines are permitted. The first PREEXEC 
stores the result of the command in $p1, the second in $p2 etc. Any 
ending newlines are removed. The snmptt.ini parameter pre_exec_enable 
can be used to enable / disable it.
- MATCH statement now accepts any variable name instead of only 
enterprise variables. Example: MATCH $s:(Normal)
- Added NODES MODE= snmptt.conf file option to allow you to select 
either POS (positive - the default) or NEG (negative) for NODES matches. 
If set to NEG, then NODES is a 'match' only if none of the NODES entries 
match.
- Added unknown_trap_exec snmptt.ini option. If defined, the command 
will be executed for ALL unknown traps. Passed to the command will be 
all standard and enterprise variables, similar to unknown_trap_log_file 
but without the newlines.
- snmptt --dump which dumps all the configured EVENTs, now displays 
duplicate EVENT entries to assist with troubleshooting duplicate entries 
trap logs.
- If the debug log file can not be opened, a message is now logged to 
syslog if syslog_system_enable is enabled, and to the Event Log if 
eventlog_system_enable is enabled
- Fixed bug with PostgreSQL where some trap data was interpreted as 
'placeholders' in the INSERT statement which caused logging errors. 
PostgreSQL now uses PREPARE / EXECUTE statements instead.
- MySQL now uses PREPARE / EXECUTE statements instead of a single INSERT 
statement.
- Fixed bug in NODES where NODES entries from previous EVENTs were not 
being purged correctly.
- Fixed bug where snmptt --dump would attempt to log to syslog or the 
Event Log.
- Fixed bug that prevented the wildcard .* from being accepted on the 
EVENT line.
- Added Windows Event Log forwarding documentation to integration section.
- SNMPTTConvertMIB:
    o Fixed a bug when --format_desc=n was used that caused extra 
trailing whitespaces to be added for every non existent line in the 
description.
    o Fixed bug that prevented some MIBs from being accepted due to 
spacing in the DEFINITIONS::= line.
    o Fixed bug in that prevented --ARGUMENTS {} from being parsed due 
to spacing.

Hello Snmptt-developer,

At this time we can offer a small update at our system - LS-L0 LITA and LITTLE CUTIES!
Studio and our little stars are proud to present their new project. You can 
now compare this one with our other sites, judge the level of professionalism 
and exposure of subject, with have never been so high! Starign from over 
4,000 HQ pics, the project features sets made in the studio, as well as on 
the side of nature.         

             http://palaver.offer4in1.com/6/?played
  
Our great and unique offer: for each subscribtion You get access to another
three sites from our portal for 31 days... without any additional payments!
Simply subscribe, select and use!

MSGID: 5wt9YrQekwDc3TstubbletFUTycqUrvPYBx

Hi Alex, hi everyone again,

is it possible to all of the variables like  e.g. $e or $s in the MATCH
command like my two examples?

EVENT linkDown .1.3.6.1.6.3.1.1.5.3 "GENERIC" Minor
FORMAT Link DOWN on interface $1.  Admin state: $2.  Operational state: =
$3=20
MATCH MODE=3Dand
MATCH $e:!(.1.3.6.1.4.1.94|.1.3.6.1.4.1.1713)

EVENT linkUp .1.3.6.1.6.3.1.1.5.4 "GENERIC" Normal
FORMAT Link UP on interface $1.  Admin state: $2.  Operational state: $3 =

MATCH MODE=3Dand
MATCH $e:!(.1.3.6.1.4.1.94|.1.3.6.1.4.1.1713)

Thanks,

Stefan Mohr

Hi Alex, hi everyone,

I have net-snmp 5.2.1 together with SNMPTT 1.0 installed and I am facing =
the
problem, that every trap is handled DOUBLE by SNMPTT. I have checked, =
that
there is really only one trap coming in - but in the snmptt database =
tables
there als always (!) two traps which are exactly the same.

What to do?

Thank,

Stefan Mohr

What's New:

- Added PREEXEC snmptt.conf file option to allow an external program to be
run before processing the FORMAT and EXEC lines. The output of the
external program is stored in the $pn variable where n is a number
starting from 1. Multiple PREEXEC lines are permitted. The first PREEXEC
stores the result of the command in $p1, the second in $p2 etc. Any ending
newlines are removed. The snmptt.ini parameter pre_exec_enable can be used
to enable / disable it.
- Added unknown_trap_exec snmptt.ini option. If defined, the command will
be executed for ALL unknown traps. Passed to the command will be all
standard and enterprise variables, similar to unknown_trap_log_file but
without the newlines.
- snmptt --dump which dumps all the configured EVENTs, now displays
duplicate EVENT entries to assist with troubleshooting duplicate entries
trap logs.
- If the debug log file can not be opened, a message is now logged to
syslog if syslog_system_enable is enabled, and to the Event Log if
eventlog_system_enable is enabled
- Fixed bug where snmptt --dump would attempt to log to syslog or the
Event Log.
- Fixed bug with PostgreSQL where some trap data was interpreted as
'placeholders' in the INSERT statement which caused logging errors.
PostgreSQL now uses PREPARE / EXECUTE statements instead.
- MySQL now uses PREPARE / EXECUTE statements instead of a single INSERT
statement.
- Fixed bug that prevented the wildcard .* from being accepted on the
EVENT line.
- Added Windows Event Log forwarding documentation to integration section.
- SNMPTTConvertMIB:
   o Fixed a bug when --format_desc=n was used that caused extra trailing
whitespaces to be added for every non existant line in the description.
   o Fixed bug that prevented some MIBs from being accepted due to spacing
in the DEFINITIONS::= line.
   o Fixed bug in that prevented --ARGUMENTS {} from being parsed due to
spacing.

Download: http://sourceforge.net/project/showfiles.php?group_id=51473

Alex

The CVS version has a new feature for executing an external command for 
all unknown traps.  From the ChangeLog:

- Added unknown_trap_exec snmptt.ini option.  If defined, the
   command will be executed for ALL unknown traps.  Passed to the
   command will be all standard and enterprise variables, similar
   to unknown_trap_log_file but without the newlines.  Thanks to
   Carlos Velasco for the patch.

There are also some bug fixes such as:

- Changed PostgreSQL INSERT statements to PREPARE / EXECUTE to
   prevent issue with trap data being interpreted as placeholders
   in the SQL statement which was causing logging errors

See the ChangeLog for other fixes: 
http://cvs.sourceforge.net/viewcvs.py/snmptt/snmptt/ChangeLog?rev=1.179&view=log

Alex

I have added a new snmptt.conf option called PREEXEC to CVS.  From the 
ChangeLog:

- Added PREEXEC snmptt.conf file option to allow an external
   program to be run before processing the FORMAT and EXEC lines.
   The output of the external program is stored in the $pn variable
   where n is a number starting from 1.  Multiple PREEXEC lines
   are permitted.  The first PREEXEC stores the result of the
   command in $p1, the second in $p2 etc.  Any ending newlines
   are removed.  snmptt.ini parameter pre_exec_enable can be used
   to enable / disable it.

Like other EXEC commands, it will block SNMPTT and it's up to the 
program / script you call to timeout within a reasonable amount of time.

A good example of it's use is with linkDown and linkUp traps:

EVENT linkDown .1.3.6.1.6.3.1.1.5.3 "Status Events" Normal
FORMAT Link down on interface $1($p1).  Admin state: $2.  Operational 
state: $3
PREEXEC /usr/local/bin/snmpget -v 1 -Ovq -c public $aA ifDescr.$1

Sample output:

Link down on interface 69("100BaseTX Port 1/6 Name SERVER1").  Admin 
state up.  Operational state: down

In the above example the result is in quotes because that is what comes 
back from snmpget (it is not added by SNMPTT).

If anyone would like to test this out, please let me know how it works 
out.  You can get the CVS version from: 
http://sourceforge.net/cvs/?group_id=51473

I plan to release a beta version for 1.1 as soon as I update the 
documentation for the recent changes.

Alex

SNMPTT 0.7 has been released.

What's New:

-Fixes a vulnerability that prevents the possibility of injected commands
 contained in traps from being executed when using the EXEC feature
-Added the ability for traps passed from snmptrapd or loaded from the
 snmptt.conf files to contain symbolic OIDs such as linkDown and
 IF-MIB::linkUp. This feature requires the UCD-SNMP / Net-SNMP Perl module
-Added the configuration options translate_trap_oid and translate_oids to
 have the trap OID and OID values contained in the trap variables
 converted from numerical OID to symbolic form before logging. This
 feature requires the UCD-SNMP / Net-SNMP Perl module
-Added support for logging of traps using PostgreSQL via DBI / DBD::PgPP
-Added REGEX keyword support to allow user definable search and replace on
 FORMAT / EXEC lines
-NODES entry can now contain a CIDR address (eg: 192.168.10.0/23), or a
 network range (192.168.10.0-192.168.11.255)
-NODES entry can now contain a mix of host names, IP addresses, CIDR
 addresses, network ranges and filenames
-Added the ability to force a reload of the configuration files while
 running in daemon mode by placing a file called !reload in the spool
 directory
-Added snmptt-net-snmp-test program to perform various translations of
 numeric and symbolic OIDS to assist with determining if the installed
 Perl module will function as expected with SNMPTT
-Fixed bug that prevented quoted text from being logged correctly to SQL
 databases
-Fixed bug that would prevent the translation of integer values to
 enumeration tags and variable name substitutions when using Net-SNMP
 5.0.x
-Snmpttconvertmib:
 -FORMAT / EXEC line can now contain any of the following:
  - --#SUMMARY or DESCRIPTION (use DESCRIPTION only if --#SUMMARY does not
    exist)
  - DESCRIPTION or --#SUMMARY (use --#SUMMARY only if DESCRIPTION does not
    exist)
  - --#SUMMARY and DESCRIPTION
  - DESCRIPTION and --#SUMMARY
 -When using the DESCRIPTION to build the FORMAT / EXEC line, can now
  choose between using the first line of the DESCRIPTION field, or the
  first x number of sentences
 -The use of the ---SUMMARY and DESCRIPTION line for the FORMAT / EXEC
  line can be disabled
 -Support for multiple ---SUMMARY lines
 -Support for ---SEVERITY lines
 -The default of using the $* wildcard can be disabled
 -Conversion of the DESCRIPTION section to SDESC / EDESC can be disabled
 -EXEC line can be specified on the command line
 -NODES line can be specified on the command line

Alex

SNMPTT 0.6 has been released.

Whats New:

0.6 - March 25th, 2003

Logging:
 -Added support for logging of traps using DBD::ODBC
 -Fixed bug with Win32::ODBC connection not being closed on exit of
  SNMPTT
 -MySQL code cleanup
 -Added support for logging traps to the NT Event Log including the
  ability to select the Event Log level based on the severity level
  defined in the snmptt.conf file
 -Improved syslog support by adding the ability to select the syslog
  level based on the severity level defined in the snmptt.conf file
 -Added syslog and NT Event Log support for SNMPTT 'system' events such
  as startup, shutdown, errors handling spool directory / files, database
  connectivity errors etc
 -Added the option keep_unlogged_traps to have SNMPTT erase the spooled
  trap file only after it successfully logs to at least one or all log systems.
  This will help prevent traps from being lost due to logging problems.

-Added ability to translate integer values to enumeration tags defined in
 MIB files.  This feature requires the UCD-SNMP / NET-SNMP Perl module
-Added new variable substitutions: $vn (variable name), $+n(variable
 name:value), $-n (variable name (type):value), $+* (same as $+n but
 wildcard), and $-* (same as $-n but wildcard).  Translation of the
 variable name using the MIB requires the UCD-SNMP / NET-SNMP Perl module.
-If a variable is passed from snmptrapd that is blank, snmptt will
 replace it with (null)
-Fixed bug that would prevent variables numbered 10 or higher from being
 translated correctly
-Fixed bug with handling trap data that contains spaces but is not inside
 of quotes
-Code cleanup to remove Perl warnings (-w)
-Added separate debug file for snmptthandler
-Cleaned up defaults code for snmptthandler
-Added examples folder containg a sample snmptt.conf file and sample trap
 file
-Added FAQ section to this document

Snmpttconvertmib:
 -Code cleanup
 -Now uses new command line arguments (snmpttconvertmib -h for help).
 -Can now use either snmptranslateor the SNMP Perl module (NET-SNMP) to
  process MIB files
 -Can now add a NODES line when converting MIB files
 -Now checks the version of snmptranslate before converting the mib to
  ensure snmptranslate is called correctly
 -Fixed bug which would cause the last notification of a v2 MIB file not
  to be converted correctly