Hi all,
I am trying to convert certain kind of OID values (Hex-String) into
meaningful ones in syslog. It's Dell BMC generated PET traps, I
decoded a sample SNMP payload like this:
306d SEQUENCE len=109
0201 00 version-1(0)
0406 70 75 62 6c 69 63 community: public
a460 TrapPDU(context constructed 4)
0609 2b 06 01 04 01 98 6f 01 01 enterprise: .1.3.6.1.4.1.3183.1.1 [1]
4004 ac 17 fc 6b agent-addr: 172.23.252.107
0201 06 generic : enterprise-specific(6)
0203 05 6f 00 specific : 356096 [2]
4304 1f 02 b3 22 timestamp : 520270626 [3]
303f SEQUENCE len=63
303d SEQUENCE len=61
060a 2b 06 01 04 01 98 6f 01 01 01 OID : .1.3.6.1.4.1.3183.1.1.1
042f 44 45 ... c1 VALUE: the 47-octet value[4]
[1] OID is a list of subidentifiers: 1*40+3 = 43 = 00101011; 3183 =
11000 1101111 = (1)0011000 (0)1101111
[2] 356096 = 101 01101111 00000000 = 00000101 01101111 00000000
[3] 520270626 = 11111 00000010 10110011 00100010 = 00011111 00000010
10110011 00100010
[4] The only entry in the variable-bindings list is a 47-octet value,
in offset hex text:
0040 44 45 4c 4c 50 00 10 59 80 43 b2 c0 4f 33 33 58 DELLP..Y.C..O33X
0050 00 42 19 ee ab 64 ff ff 20 20 00 41 73 18 00 80 .B...d.. .As...
0060 01 ff 00 00 00 00 00 19 00 00 02 a2 01 00 c1 ...............
Actually it is an IPMI SEL like entry, something like "Oct-16-2011
02:01:11 General Chassis Intrusion Asserted".
I have verified two ways to plug into snmptrapd to get meaningful
representation of the SEL-like entry, by adding to snmptrapd.conf:
1) traphandle OID|default PROGRAM [ARGS ...]
The external PROGRAM will be called by command_handler(always
trap-specific?) once a trap is received and authorized against execute
permission. command_handler() calls convert_v1pdu_to_v2() to get a v2
PDU, then uses handler->format or EXECUTE_FORMAT(#define
EXECUTE_FORMAT "%B\n%b\n%V\n%v\n") to get a textual representation to
feed to stdin of PROGRAM. There is a sample script, traptoemail,
shipped with net-snmp. It is incapable to deal with the sample PET
trap, because the Hex-String value contains line-breaks. A little
tweak is required to join the multi-line value into one, then a helper
program can be called to convert the Hex-String value to meaningful
representation.
2) perl do "/usr/local/share/snmp/mytrapd.pl";
It is an example from NetSNMP::TrapReceiver as well, it calls
NetSNMP::TrapReceiver::register("all", \&my_receiver) to install a
trap-specific(if some OID is specified) handler or global one (this
case "all", into netsnmp_post_global_traphandlers). The my_receiver
subroutine got a hash containing similar but structured contents
compared to those lines fed to stdin of PROGRAM. The helper program
could also be invoked to get a meaningful string.
Well, I'd like to put the trap into syslog to be filtered. -Lsd works,
but simply failed to figure out any place to hook a translation. Looks
like syslog logging is hooked before above ways, into
netsnmp_pre_global_traphandlers; it requires log permission instead of
execute permission. Actually it is print_handler() that handles both
cases that logging to syslog and that logging to file. It honors
handler->format as well, and in addition "format print xxx" could be
used to specify custom format(print_format1 or print_format2) in
snmptrapd.conf. Unfortunately, I have no idea how to assign
handler->format as well, and what's worse, the format specification
does not recognize the SEL Hex-String at all.
In all of three ways mentioned above, handlers might be injected
before normally registered handlers and even return
NETSNMPTRAPD_HANDLER_BREAK to bypass them. I guess this could be the
place to do customization for value of certain OID. However, I don't
know how to do such injection. Any idea?
Thanks,
Kaiwang
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
