TUT:Configuring snmptrapd to parse MIBS from 3rd party Vendors

From Net-SNMP Wiki
Revision as of 13:31, 9 May 2008 by Wes (Talk | contribs) (Installing Custom MIBs: reference tutorial)

Jump to: navigation, search

AKA, "How the hell do I log Cisco-specific traps?"

Introduction

By default, Net-SNMP clients and servers only understand a set of default MIBs.

Many agents/devices implement a variety of these default vendor-neutral MIBs (IF-MIB, etc.) as part of a compatibility package, but if you wish to communicate with vendor-customized MIB trees on a device, you must load the MIBs for that device from the vendor. For snmptrapd(8), traps with OIDs in trees not enumerated by the installed MIB files will show up in numeric format.

Commonly Requested MIBs

Installing Custom MIBs

snmptrapd behaves like all other Net-SNMP applications and conforms to the standard methods of finding and loading MIBs. The "Using and loading MIBS" tutorial goes into depth about how to configure a Net-SNMP application to load extra MIBs. In summary, it boils down to:

  1. Identify the MIBs for your platform/product
  2. Install them into your $MIBDIR
  3. Adjust your $MIB variable and restart the snmptrapd(8) binary


Identifying MIBs for your platform

The process is vendor-specific.

APC

APC has one huge MIB for all of its product lines: PowerNet MIB

Cisco

Cisco has approximately one thousand MIBs for various products:

seklecki@rampage:/home/seklecki$ echo ls | ftp -a ftp://ftp.cisco.com/pub/mibs/v2/ | wc -l
   1084

To find the MIBs supported by your Cisco product, look in the technical appendix of each product and/or use the MIB browser tool. You will need to search by your firmware file name (if you do not have access to the console, ask your admin, or walk the device with the community string provided)

http://tools.cisco.com/Support/SNMP/do/MIBSupport.do?local=en&step=3

Example Cisco Catalyst 3548-XL:

To find your hardware ver:

cs0#sh version   | include proc
cisco WS-C3548-XL (PowerPC403) processor (revision 0x01) with 16384K/1024K bytes of memory.

To find your IOS/firmware filename:

cs0#sh flash: 
Directory of flash:/
  2  -rwx     1811552   Feb 28 1993 19:27:28  c3500xl-c3h2s-mz.120-5.WC17.bin

Once you search for your release, you will get an index of files that are required to meet various inter-MIB dependencies. Example Screehsot

You will also always need SNMPv2-SMI for all Cisco-related MIBs

Install the MIBs in $MIBDIR

Place the files with appropriate permission sand ownership in $PREFIX/share/snmp/mibs/. The file extensions from Cisco are .my. From APC its a .txt. Both are fine.

Activate the MIBs

As per snmpcmd(1), the -m flag can be set to 'ALL' for your snmptrapd(8) execution command and/or export environmental variable MIBS

RC Script

If you're running FreeBSD or NetBSD, which you should be, just modify your rc.conf(5) to reflect:

snmptrapd_enable="YES"
snmptrapd_flags="-a -p /var/run/snmptrapd.pid -Ls 2 -Lf /var/log/snmptrapd-direct.log -m ALL"

Make snmptrapd(8) generate usable logs:

For a long time, I routed snmpd(8) and snmptrapd(8) traps though syslog(8). However, most commercial systems (and packet dump/analysis tools) display traps as:


 Header Var: Val
 Header Var: Val
 Header Var: Val
   OID1 - (Value) Format
   OID2 - (Value) Format
   OID3 - (Value) Format
   OID4 - (Value) Format
   ....

This format is much more machine and human-parseable.

The following snmptrapd.conf(5) excerpts will get you a human readable snmptrapd-direct.log which you will need to rotate using newsyslog(8), but also local traps to syslog(3) facility LOCAL2:

logoption s 2
logoption f /var/log/snmptrapd-direct.log
format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n

Examples

Cisco Authentication Failure

Without Custom MIB
$ sudo tail -50 /var/log/snmptrapd-direct.log 
NET-SNMP version 5.4.1
2008-05-08 18:18:11 vlan12.as0.lab00.pitbpa0.priv.collaborativefusion.com [UDP: [192.168.3.6]:54394]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: 812050957)
93 days, 23:41:49.57 SNMPv2-MIB::snmpTrapOID.0 = OID: CISCO-SMI::ciscoMgmt.43.2.0.1  CISCO-SMI::ciscoMgmt.43.1.1.6.1.3.96 = INTEGER: 1  
CISCO-SMI::ciscoMgmt.43.1.1.6.1.4.96 = INTEGER: 3        CISCO-SMI::ciscoMgmt.43.1.1.6.1.5.96 = INTEGER: 4


With Custom MIB
$ sudo tail -50 /var/log/snmptrapd-direct.log 
NET-SNMP version 5.4.1
 Agent Address: 0.0.0.0 
 Agent Hostname: vlan12.as0.lab00.*
 Date: 21 - 56 - 21 - 17 - 6 - 1991 
 Enterprise OID: . 
 Trap Type: Cold Start 
 Trap Sub-Type: 0 
 Community/Infosec Context: TRAP2, SNMP v2c, community foo
 Uptime: 0 
 Description: Cold Start 
 PDU Attribute/Value Pair Array:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (812034228) 93 days, 23:39:02.28
SNMPv2-MIB::snmpTrapOID.0 = OID: CISCO-CONFIG-MAN-MIB::ciscoConfigManEvent
CISCO-CONFIG-MAN-MIB::ccmHistoryEventCommandSource.93 = INTEGER: commandLine(1)
CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigSource.93 = INTEGER: running(3)
CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigDestination.93 = INTEGER: startup(4) 
 -------------- 


As you can see, the later configuration is a significant improvement.

Note: Logging with the improved format to the syslog does not improve the situation, as line-feed+carriage return characters are translated.

This page to be created on 05/06/2008 by Brian A. Seklecki