There's more than one way to do it: SNMP traps and Nagios (OT).

[Stanley Hopcroft]

Dear Ladies and Gentlemen,

I am writing to amplify on Mr John Rouillard's recent letter about Sec
in which he remarked (in a long but interesting and useful letter),

'Using sec to process traps (or other passive checks) is straight
forward.'

Indeed it is, and for the benefit of those born again trap users I will
share my experience of using Sec (http://www.estpak.ee/~risto/sec/) as
an alternative to employing discrete trap handlers as described in the
Nagios documentation ('Integration With Other Software'/SNMP traps).

Sec responds to events in an input stream, often a log file. Events are
text substrings or Patterns reporting the events occurrence.

The Net-SNMP projects snmptrapd can be made to log the fully decoded
trap and this is a natural event stream for Sec to process.

Whereas using discrete trap handlers requires

. tight coupling between the Nag config (service_description, host_name
and the status processing), the snmptrapd.conf and the trap handler

. a proliferation of trap handlers that are perhaps written in a
language that is hard to maintain (such as /bin/sh)

. acceptance of the trap handlers role as being forked by snmptrapd and
probably not being able to retain state between invocations

. willingness to get down and dirty with SNMP. Reading MIBs and using
the snmp tools (snmptranslate and snmptrap) are mandatory as are
alternatives such as Net::SNMP

(In my experience anyway), 

Sec provides 'Event Correlation' that is able to 

. suppress event pairs (eg if down/up) that occur within a time window

. suppressing repeated events (eg a cascasde of traps)

. sense and update context (context is completely user defined and may
be a calendar event or a particular FTP session). Context is then used
to further filter the Sec rules.

and other similar features.

A Sec confguration is largely declarative but allows the application to
perform some processing with ad-hoc Perl.

Since traps are detected by Sec using patterns or substrings, one can
remain blissfully ignorant of what number the trap is and what varbinds
are sent with it. In fact, being able to get MIBS installed is the only
SNMP pre-req (and to do this you will probably have to either outsource
it or the aformentioned D&D).

Here's some examples of a Sec rule from my second rate Sec.Conf

type=Single
ptype=RegExp
pattern=\]: (\S+?): .+?frDLCIStatusChange\) .+?frCircuitDlci\.\d+\.\d+ =
(\d+),.+?frCircuitState\.\d+\.\d+ = (\w+)\(
desc=Frame relay PVC state change
action=         \
  assign %i $1; \
  assign %c $2; \
  assign %d $3; \
  eval   %o ( '%d' eq 'active'   ? 'Ok. Frame relay PVC %c has changed
state to %d.'     : \
              '%d' eq 'inactive' ? 'Failed. Frame relay PVC %c has
changed state to %d.' : \
              '%d' eq 'invalid'  ? 'Failed. Frame relay PVC %c has
changed state to %d.' : \
                                      'Unknown. Frame relay PVC %c has
changed state to %d.' ); \
  eval   %d ( '%d' eq 'active'   ? 0 :             \
              '%d' eq 'inactive' ? 2 :             \
              '%d' eq 'invalid'  ? 2 :             \
                                        3 );            \
  eval   %h ( require '/usr/local/nagios/etc/alarm_hostnames.pl' unless
\
                            defined $ip2NagName{'%i'};          \
                   $ip2NagName{'%i'} );                         \
  write  /usr/local/nagios/var/rw/nagios.cmd ([%u]
PROCESS_SERVICE_CHECK_RESULT;%h;%s;%d;%o)
  # write  - ([%u] PROCESS_SERVICE_CHECK_RESULT;%h;%s;%d;%o)

This matches Frame relay DLCI status changes traps against the Pattern,
setting $1, $2 and $3 (the sender_ip, the DLCI and the PVC state).

It then stores the matching strings in Sec variables (%i, %c, ..) and
decodes the output it will return to Nagios (eval %o) and the return
code (%d).

It also works out the Nagios host name (%h) from a Perl hash that maps
the sender_ip (in %i) to the Nagios host_name directive (known apriori).

Finally it forms the Nag PROCESS_SERVICE_CHECK_RESULT command and writes
it to the queue.

Finally, Sec is actively developed, beautifully documented, powerful and
efficient.

It has a number of maintenance and debug friendly features that include
a ruletest option, writing output to STDOUT (to help ensure the patterns
match) and probably most helpful of all, accepting any input stream
(STDIN).

This latter facility means that one doesn't have to with varying degrees
of success, synthesise traps. The Sec rules can be tested agains logged
traps in snmptrapd's log with tail or grep.

Yours sincerely.


-- 
------------------------------------------------------------------------
Stanley Hopcroft
------------------------------------------------------------------------

'...No man is an island, entire of itself; every man is a piece of the
continent, a part of the main. If a clod be washed away by the sea,
Europe is the less, as well as if a promontory were, as well as if a
manor of thy friend's or of thine own were. Any man's death diminishes
me, because I am involved in mankind; and therefore never send to know
for whom the bell tolls; it tolls for thee...'

from Meditation 17, J Donne.


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null