Use this Knowledge Script to monitor v1, v2, and v3 traps sent by remote devices. You can configure the script to generate events for each SNMP trap received. You can also configure this script to raise AppManager events based on the different alarm types used by the monitored SNMP traps.
After you run the Knowledge Script, the SNMPTraps_TrapMonitor job waits for notification of a trap from the NetIQ Trap Receiver server or servers. When the server receives a trap, the TrapMonitor job determines whether the IP address of the source device matches a device that the job is currently monitoring.
You can also use this script to create a new object in the Navigation pane or TreeView, with custom display name format, when a trap is received from a device that is not currently in the Navigation pane or TreeView.
This script also lets you filter the list of devices monitored, with filters based on OID (object identifier) values, ODE (object descriptive name) values, and varbind values, and exclusion filters based on MIB subtrees and trap source devices.
In addition, this script allows you to customize the AppManager event messages that correspond to SNMP traps listed in the SNMPTraps_AlarmMappings.csv file that comes with this module. For more information, see Section 3.3, Customizing AppManager Events for Trap Source Devices.
The SNMPTraps_TrapMonitor script also includes vendor-specific formatting for Avaya G3 and Avaya Communication Manager traps to make the AppManager event messages for those traps easier to read. For more information, see the following topics:
Before running the SNMPTraps_TrapMonitor script, configure AppManager Security Manager with the community string and version information for each device you want to monitor. Security Manager entries for SNMP v1 and v2 are optional, but SNMP v3 traps require a Security Manager entry.
If you already use other modules that monitor SNMP traps, such as AppManager for Avaya Communication Manager or AppManager for Network Devices, you can continue to use any existing SNMPTrap Security Manager entries.
The type of Security Manager information you configure varies according to the version of SNMP implemented on the device. AppManager for SNMP Traps supports SNMP versions 1, 2, and 3.
To set up Security Manager for SNMP v1 or SNMP v2 traps, complete the following fields on the Custom tab in Security Manager:
|
Field |
Description |
|---|---|
|
Label |
SNMPTraps This script also supports Security Manager entries labeled SNMPTrap, which is a label used by other modules that you might have already installed, such as AppManager for Avaya Communication Manager or AppManager for Network Device. |
|
Sub-label |
Specify whether the community string is used for a single device or for all devices:
|
|
Value 1 |
Specify the community string for the device or devices. |
|
Value 2 |
Leave this field blank. |
|
Value 3 |
Leave this field blank. |
AppManager for SNMP supports the following modes for SNMP version 3 (SNMP v3):
No authentication; no privacy
Authentication; no privacy
Authentication and privacy
In addition, the module supports the following protocols for SNMP v3:
MD5 (Message-Digest algorithm 5, an authentication protocol)
SHA (Secure Hash Algorithm, an authentication protocol)
DES (Data Encryption Standard, an encryption protocol)
AES (Advanced Encryption Standard, an encryption protocol, 128-bit keys only)
Configure SNMP v3 information for each device monitored by each proxy computer.
If you plan to monitor SNMP v3 traps, install the NetIQ Trap Receiver and the AppManager agent on the same computer to prevent malicious users from gaining secure access to the information in these traps. The SNMPTraps_TrapMonitor script notifies you if an SNMP v3 trap source device’s corresponding NetIQ Trap Receiver IP address does not match the IP address of the AppManager agent monitoring it.
The SNMPTraps_TrapMonitor script does not fully validate SNMP v3 credentials retrieved from Security Manager for a particular device or set of devices, and the script does not notify you if these credentials do not match. As a result, the SNMPTraps_TrapMonitor script might miss some SNMP v3 traps if you do not enter the Security Manager credentials properly.
For SNMP v3 configuration, complete the following fields in the Custom tab of Security Manager for the proxy agent computer.
|
Field |
Description |
|---|---|
|
Label |
SNMPTraps This script also supports Security Manager entries labeled SNMPTrap, which is a label used by other modules that you might have already installed, such as AppManager for Avaya Communication Manager or AppManager for Network Devices. |
|
Sub-label |
Specify the IP address, or enter default for all devices that do not have a specific IP address entry. |
|
Value 1 |
Specify the SNMP user name, or entity, configured for the device. All SNMP v3 modes require an entry in this field. |
|
Value 2 |
Specify the name of the context associated with the user name or entity entered in Value 1. A context is a collection of SNMP information that is accessible by an entity. If possible, enter a context that provides access to all MIBS for a device. If the device does not support context, type an asterisk (*). All SNMP v3 modes require an entry in thisfield. |
|
Value 3 |
Specify the combination of protocol and password appropriate for the SNMP v3 mode you have implemented.
|
NT_MachineFolder
TRAP_SOURCE_DEVICE
The default interval for this script is Asynchronous.
Set the Values tab parameters as needed:
|
Parameter |
How to Set It |
|---|---|
|
General Settings |
|
|
Job Failure Notification |
|
|
Event severity if TrapMonitor job fails unexpectedly |
Set the event severity level, from 1 to 40, to reflect the importance when this script fails unexpectedly. The default is 5. |
|
Event Details |
|
|
Event detail format |
Select whether to view event details in an HTML table or in plain text. The default is HTML Table. |
|
Trap source address format |
Select the elements of the trap source address you want to include in AppManager event messages. The default is Both. If you select Host ID, the event message lists the host ID in brackets before the trap details. For example: [RALDVAP655]: Trunk Layer 1 state changed to up If you select Source IP, the event message lists the IP address for the source in brackets before the trap details. For example: [10.22.124.33]: Trunk Layer 1 state changed to up If you select Both, the event message lists the name of the host and the IP address in brackets, followed by the trap details. For example: [RALDVAP655 (10.22.124.33)]: Trunk Layer 1 state changed to up |
|
Format trap data according to SNMP version? |
Select the version of SNMP to determine the type of formatting that will be used for trap event messages. The data provided by each format is the same, and only the layout is different. The default is SNMP v2. |
|
Include prefix information to format event messages for Netcool adapter? |
Select Yes if you are using the NetIQ AppManager Connector for IBM Tivoli Netcool/OMNIbus, and want to format trap events for the connector. If you select Yes, at the start of the resulting AppManager event short message, the script will add four values that are each preceded by tilde characters (~) that get used by the Netcool connector. The default is unselected. |
|
Varbind display options |
Note Enabling any of the following varbind display parameters might negatively impact the speed at which traps are processed. |
|
Display ‘friendly’ ODEs in event messages? |
Select Yes if you want to include spaces in the varbind ODE name in the event detail message. This parameter will add spaces in the varbind ODE name in between characters that differ in case, and it will add spaces between characters and numbers. The default is Yes. For example, the varbind ODE name v1clogHistFacility would display as v1 clog Hist Facility. |
|
Include varbind OID in event messages? |
Select Yes to add the OID (object identifier) of the varbind in a separate column in the Varbind table. The default is unselected. |
|
Include varbind MIB name in event messages? |
Select Yes to add the name of the MIB in front of the varbind ODE in the details of the event message varbinds. For example, the varbind ODE name v1clogHistFacility would display as CISCO-SYSLOG-MIB::v1clogHistFacility. The default is unselected. |
|
Trap Filters |
Note The SNMPTraps_TrapMonitor script processes the include filters first, and then it processes the exclude filters applied against those results. Also, each filter parameter is processed in the order listed below, so the List of OIDs and ODEs parameters are processed before the List of MIB subtrees parameters. |
|
Include Filters |
|
|
List of OIDs and ODEs to include |
Specify the object identifiers (OIDs) of the traps you want to monitor, ignoring all other traps. You can type one OID or a list of OIDs. If you use a list, separate the OIDs with a comma, without any spaces. This parameter also supports the use of ODEs (descriptive names) if the relevant MIBs were loaded into the MIB subtree. If the relevant MIBs are not installed by this module, load them with the SNMPTraps_AddMIB Knowledge Script. The case of the ODEs in your list must match the case of the ODEs as they are defined in the MIBs. This parameter does not support wildcard characters or regular expressions. List the OID or ODE information in the following format: MIBName::TrapName or NumericalTrapOID Separate multiple trap OIDs or ODEs with commas, without any spaces. For example: EXTREME-DOS-MIB::extremeDosThresholdCleared, 1.3.6.1.4.1.1916.4.14.0.2 |
|
File with list of OIDs and ODEs to include |
If you have many OID values to monitor, you can specify the full path to a file that contains a list of the OID values you want to include. This parameter also supports the use of ODEs if the relevant MIBs were loaded into the MIB subtree. If the relevant MIBs are not installed by this module, load them with the SNMPTraps_AddMIB Knowledge Script. The case of the ODEs in your list must match the case of the ODEs as they are defined in the MIBs. List each OID or ODE value on a separate line in the file, and format them in the manner described in the previous parameter. Place the file in a location that is accessible by the account under which the NetIQmc service is running on the agent. If you place the file in the NetIQ\AppManager\bin\SNMPTraps folder on the local agent, you do not need to specify a full path to the file. This script supports UNC shares if the agent’s parent account has authority to access the share. If you edit the contents of this file after running this job, restart the job to include the updates. |
|
List of MIB subtrees to include |
Specify a set of MIB subtrees for which you want to monitor all child traps. The script ignores any traps that are not part of the listed MIB subtrees. You can type one MIB subtree or a list of MIB subtrees. If you type a list, separate the subtrees with a comma, without any spaces. If you add multiple MIB subtrees in this parameter, the script ignores any higher-level subtrees if you also included a lower-level subtree in the list. For example, if you list both 1.3.6.1.4.1.9148 and 1.3.6.1.4.1.9148.1, the script ignores the first, higher-level entry to focus on the second, lower-level entry in the MIB subtree. |
|
File with list of MIB subtrees to include |
If you have many MIB subtrees to monitor, you can specify the full path to a file that contains a list of the subtrees you want to include. Each MIB subtree in the file should be on a separate line. Place the file in a location that is accessible by the account under which the NetIQmc service is running on the agent. If you place the file in the NetIQ\AppManager\bin\SNMPTraps folder on the local agent, you do not need to specify a full path to the file.This script supports UNC shares if the netiqmc service account has permission to access the share. |
|
Exclude Filters |
|
|
List of OIDs, ODEs, and varbind values to exclude |
Specify the OIDs, ODEs, and varbind values of the traps you do not want to monitor. You can specify one OID or ODE, or a list of OIDs and ODEs. If you use a list, separate the OIDs and ODEs with a comma, without any spaces. The case of the ODEs in your list must match the ODEs as they are defined in the MIBs. List the ODE information in the following format: MIB Name::Trap Name For example: CXC-MIB::callHeld,CXC-MIB::callRetrieved List the varbind value information in the following format: MIBName::TrapName +MIB Name::Varbind Name=Value For example: CXC-MIB::callHeld+CXC-MIB::Varbind1=1 If you need to use a comma for the Value, above, use a tilde (~) character in place of the comma every location where a comma should appear. |
|
File with list of OIDs, ODEs, and varbind values to exclude |
If you have many OIDs, ODEs, and varbind values to exclude, you can specify the full path to a file that contains a list of the OIDs, ODEs, and varbind values that you want to exclude. List each value on a separate line in the file, and format them in the manner specified in the previous parameter. The case of the ODEs in your list must match the ODEs as they are defined in the MIBs. Place the file in a location that is accessible by the account under which the NetIQmc service is running on the agent. If you place the file in the NetIQ\AppManager\bin\SNMPTraps folder on the local agent, you do not need to specify a full path to the file.This script supports UNC shares if the netiqmc service account has permission to access the share. If you edit the contents of this file after running this job, restart the job to include the updates. |
|
List of MIB subtrees to exclude |
Specify the MIB subtrees of the traps you want to exclude from monitoring so you can focus on a smaller set of traps. You can type one MIB subtree or a list of MIB subtrees. If you use a list, separate the subtrees with a comma, without any spaces. |
|
File with list of MIB subtrees to exclude |
If you have many MIB subtrees you want to exclude from monitoring, you can specify the full path to a file that contains a list of the subtrees you want to exclude. Each MIB subtree in the file should be on a separate line. Place the file in a location that is accessible by the account under which the NetIQmc service is running on the agent. If you place the file in the NetIQ\AppManager\bin\SNMPTraps folder on the local agent, you do not need to specify a full path to the file.This script supports UNC shares if the netiqmc service account has permission to access the share. |
|
Additional Settings |
|
|
Monitor devices not yet discovered? |
Select Yes to create AppManager events for traps forwarded by devices that are not currently displayed in the Navigation pane or TreeView. The default is unselected. |
|
Discover new devices when traps received? |
Select Yes to enable the script to discover a new device and create a new object for that device in the Navigation pane or TreeView if a device that has not yet been discovered receives a trap. The default is unselected. |
|
Reverse lookup DNS hostname from an unknown trap source IP address? |
Select Yes to perform a reverse lookup of the IP address to determine the DNS hostname of the discovered device. The IP address for the device displays as part of the name of the object created for the discovered device in the Navigation pane or TreeView. The default is Yes. This parameter only applies to devices that are not listed in the following parameter, File containing additional device name/IP address pairs. Enabling this parameter might negatively impact the performance of this script. If you select Yes for this parameter, you must also select Yes for the Monitor devices not yet discovered? parameter to enable the discovery of new devices. |
|
File containing additional device name/IP address pairs |
Specify the path to a list of mappings that pairs device names to IP addresses. When a trap is received from an undiscovered device, this parameter determines the object display name in the Navigation pane or TreeView if a match is found. The Monitor devices not yet discovered? and the Discover new devices when traps received? parameters must both be set to Yes to enable the discovery of new devices. If you selected No for the Discover new devices when traps received?parameter, this parameter formats the short event message of the relevant trap so a device name is specified. In the file, list just one mapping pair per line, and separate the mappings with a comma, no spaces. Use the following format for the mappings in this file: DeviceName,IPAddress For example: DeviceA,10.41.5.100 DeviceB,10.41.5.102 If the received trap’s source IP address does not match the source IP address contained in any monitored Navigation pane or TreeView object, but the IP address does match a source IP address provided in the file for this parameter, the script displays the new device in the Navigation pane or TreeView in one of the following three formats: Trap Source: DNSHostname [IP Address] Trap Source: CustomDeviceName [IP Address] Trap Source: [IP Address] For example: Trap Source: DeviceA [10.41.5.101] Note You can use IPv6 addresses in your file, and the script will format the alarm event message properly to use the correct custom display name for the object. However, the script will not discover a device that uses an IPv6 address if you selected Yes for the Discover new devices when traps received? parameter. Traps containing IPv6-formatted source addresses will not have a corresponding object created in the Navigation pane or TreeView. Place the file in a location that is accessible by the account under which the NetIQmc service is running on the agent. This script supports UNC shares if the netiqmc service account has permission to access the share. If you place the file in the NetIQ\AppManager\bin\SNMPTraps folder on the local agent, you do not need to specify a full path to the file. |
|
File with list of IP addresses not yet discovered to exclude |
Specify the full path to a file that contains an exclusion list of the IP addresses for devices that have not yet been discovered. This parameter lets you exclude a set of devices that are not relevant and, as a result, are never included as part of the unknown device support in the module. Do not use this parameter to specify a set of already-discovered devices to exclude. Also, this parameter does not exclude already-discovered devices. In the file, list one IPv4 or IPv6 address per line. The script ignores any lines that start with a hash (#) character, and the script also ignores any blank lines. Place the file in a location that is accessible by the account under which the NetIQmc service is running on the agent. If you place the file in the NetIQ\AppManager\bin\SNMPTraps folder on the local agent, you do not need to specify a full path to the file.This script supports UNC shares if the netiqmc service account has permission to access the share. If you edit the contents of this file after running this job, restart the job to include the updates. |
|
List of Trap Receiver IP address/TCP port pairs |
Specify a list of mappings that pair IP addresses with the TCP port numbers for any Trap Receiver servers that can receive traps from a device that is not currently discovered in the Navigation pane or TreeView, or Trap Receiver servers that can receive any traps from IPv6 devices. The IP address is for the NetIQ Trap Receiver (NTR) server that received the forwarded trap, and the port is the TCP port where the SNMPTraps_TrapMonitor job connects to the relevant Trap Receiver server. Use only the IP address, not the host name for a Trap Receiver server. Traps containing IPv6-formatted source addresses will not have a corresponding object created in the Navigation pane or TreeView. Format the pairs in the following manner: 10.22.50.100:2735. |
|
Custom message mapping file |
Specify the path to the file containing the custom event short message and alarm severity information for individual SNMP trap ODEs. This file also allows you to customize the alarm severity for individual varbind values and substitute text strings for individual varbind values. The default is SNMPTraps_AlarmMappings.csv, located in the NetIQ\AppManager\bin\SNMPTraps folder on the AppManager agent. This file is pre-populated with objMapping, severityMapping, and varbindMapping entries for each trap defined in each MIB installed by the module. If the SNMPTraps_AlarmMappings.csv file does not exist at the target location when you install this module, the installation process will create a new file in the target location. All fields except for the <trap text> are not case-sensitive. For more information about the SNMPTraps_AlarmMappings.csv file, see Section 3.3, Customizing AppManager Events for Trap Source Devices. |
|
Tracing (for advanced users only) |
|
|
Logging level |
Select the logging level you want to monitor. The options are Off, Fatal, Error, Warn, Info, Debug, or All. The default is Warn. Use these tracing settings only with the help of NetIQ Technical Support. |
|
Monitor SNMP Traps |
|
|
Event Notification |
|
|
Raise critical alarm event? |
Select Yes to raise an AppManager event when the script receives a trap with a trap ODE that matches an objMapping or a severityMapping entry with an AlarmSeverity of critical in the file specified in the Custom message mapping file parameter. The default is Yes. A critical alarm indicates that a condition that impacts service has occurred and an immediate corrective action is required. An example of a critical event is when a total loss of service occurs, and that service must be restored. |
|
Event severity when critical alarm received |
Set the severity level, from 1 to 40, to indicate the importance of an event in which a monitored device receives a trap that maps to a critical alarm. The default is 5. |
|
Raise major alarm event? |
Select Yes to raise an AppManager event when the script receives a trap with a trap ODE that matches an objMapping entry or a severityMapping entry with an AlarmSeverity of major in the file specified in the Custom message mapping file parameter. The default is Yes. A major alarm indicates that a service-affecting condition has developed and requires an urgent corrective action. An example of a major event is when a severe degradation of service occurs, and the full capability of that service must be restored. |
|
Event severity when major alarm received |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the script receives a trap that maps to a major alarm. The default is 10. |
|
Raise minor alarm event? |
Select Yes to raise an AppManager event when the script receives a trap with a trap ODE that matches an objMapping entry or a severityMapping entry with an AlarmSeverity of minor in the file specified in the Custom message mapping file parameter. The default is Yes. A minor alarm indicates the existence of a fault condition that is not service-affecting, but you should take corrective action to prevent a more serious fault. |
|
Event severity when minor alarm received |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the script receives a trap that maps to a minor alarm. The default is 15. |
|
Raise warning alarm event? |
Select Yes to raise an AppManager event when the script receives a trap with a trap ODE that matches an objMapping or a severityMapping entry with an AlarmSeverity of warning in the file specified in the Custom message mapping file parameter. The default is Yes. A warning alarm indicates the detection of a potential or impending service-affecting fault before any significant effects have occurred. You should take action to further diagnose the problem, if necessary, and then correct the problem to prevent it from becoming a more serious service-affecting fault. |
|
Event severity when warning alarm received |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the script receives a trap that maps to a warning alarm. The default is 20. |
|
Raise unmapped alarm event? |
Select Yes to raise an AppManager event when the script receives a trap with a trap ODE that matches an objMapping or a severityMapping entry with an AlarmSeverity of unmapped in the file specified in the Custom message mapping file parameter. The default is Yes. An unmapped alarm indicates that no mapping exists for a trap that the script does not recognize. |
|
Event severity when unmapped alarm received |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the script receives a trap that maps to an unmapped alarm. The default is 15. |
|
Raise indeterminate alarm event? |
Select Yes to raise an AppManager event when the script receives a trap with a trap ODE that matches an objMapping or a severityMapping entry with an AlarmSeverity of indeterminate in the file specified in the Custom message mapping file parameter. The default is Yes. An indeterminate alarm indicates that an entry exists in the SNMPTraps_AlarmMappings.csv file, but the severity level cannot be determined due to a missing varbind value, or the entry contains a dynamic value that cannot be specified. |
|
Event severity when indeterminate alarm received |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the script receives a trap that maps to an indeterminate alarm. The default is 20. |
|
Raise cleared or resolved alarm event? |
Select Yes to raise an AppManager event when the script receives a trap with a trap ODE that matches an objMapping or a severityMapping entry with an AlarmSeverity of cleared or resolved in the file specified in the Custom message mapping file parameter. The default is Yes. A cleared or resolved alarm indicates that one or more previously reported alarms have been cleared. |
|
Event severity when cleared or resolved alarm received |
Set the severity level, from 1 to 40, to indicate the importance of an event in which the script receives a trap that maps to a cleared or resolved alarm. The default is 25. |
|
Raise event if Trap Receiver is unavailable? |
Select Yes to raise an event if a monitored Trap Receiver is not available. The default is Yes. |
|
Event severity when Trap Receiver is unavailable |
Set the severity level, from 1 to 40, to indicate the importance of an event in which a monitored Trap Receiver is unavailable. The default is 5. |
|
Raise event if Trap Receiver becomes available? |
Select Yes to raise an event if a monitored Trap Receiver becomes available. The default is No. |
|
Event severity when Trap Receiver becomes available |
Set the severity level, from 1 to 40, to indicate the importance of an event in which a monitored Trap Receiver becomes available. The default is 25. |