Hi, finally i did it in a different way and it works: it writes in a second log and then i bring it back to the snmptt.log. However, it seems to do it everytime i send a trap, and don´t works my SingleWithSuppress rule like i want. It should bring back that log only once in 5 minutes, as specified in the rule. That´s how i got it:
In snmptt.conf: # MIB: <MIB´s name> # # EVENT dataEvent <generic OID> "Status Events" Normal EXEC tail -1 /var/log/snmptt/snmptt.log | grep <generic OID> >> /var/log/snmptt/snmptt.sec.log FORMAT $* The rule: type=SingleWithSuppress ptype=RegExp pattern=<generic OID> (\S+) desc=estado $1 action=shellcmd /home/javier/send.sh window=300 The /home/javier/send.sh script: #!/bin/sh tail -1 /var/log/snmptt/snmptt.sec.log >> /var/log/snmptt/snmptt.log And that brings it back to the main log, but everytime i send the same trap, it´s supposed only once every 5 minutes. How can i do it to send back only one time the trap to the main log between that 5 minutes sending the same trap?. Thanks in advance 2010/5/27 Gonzalo Rodrigo Sancho <grodr...@s21sec.com> > Hi Javier, > > So, if i understand you properly, you need to send an snmp trap back, > isn't it? > > On this case, make a simple script (like the msg.sh) an adapt this > solution to your case: > > snmptrap -v 1 TRAP_RECIPIENT COMMUNITY OID LOCAL_IP GENERIC_TRAP > SPECIFIC_TRAP s "string goes here" > > .... e.g. sending from 10.1.1.1 (to 10.2.2.2): > > snmptrap -v 1 10.2.2.2 public .1.3.6.1.2.1.0 10.1.1.1 1 6 0 0.0.0 s > "This is a test" > > By the way, this is for snmp v1, if you are going to use v2 check the man > page of snmptrap. > > Regards, > > > Hi, > > > > i use snmptt to trap handle. Some of the traps that i receive, correlate > > and > > process with SEC with an determinate OID, i apply them a > > 'SingleWithSuppress' rule and it seems to work fine. But i need to trap > > back > > to snmptt to show the last coincidance later and i don´t know how to do > it > > although i´ve seen that part in this link: > > http://snmptt.sourceforge.net/docs/snmptt.shtml#SEC > > > > That´s how o got it: > > > > perl sec.pl -conf=my2.conf -input=/var/log/snmptt/snmptt.log > > > > my.conf: > > #Show the same alert only one time in 5 minutes > > type=SingleWithSuppress > > ptype=RegExp > > pattern=<OID_x> > > desc=servicio > > action=shellcmd /home/javier/msg.sh <- Only writes a log > > window=300 > > > > > > snmptt.conf: > > ... > > EVENT <TRAP TYPE> <OID_x> "Status Events" Normal > > EXEC tail -1 /var/log/snmptt/snmptt.log | grep <OID_x> >> > > /var/log/snmptt/snmptt.sec.log > > FORMAT .... > > > > > > snmptt.conf.sec: > > ... > > EVENT <TRAP TYPE> <OID_x> "Status Events" Normal > > EXEC tail -1 /var/log/snmptt/snmptt.log | grep <OID_x> >> > > /var/log/snmptt/snmptt.sec.log > > FORMAT .... > > > > > > And that´s the point where i find myself... a little bit lost. Any advice > > changing or modifying any data of here, will be very appreciated. > > > > Thanks!! > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > Gonzalo Rodrigo Sancho > Dept. Bitácora > > EMail: grodr...@s21sec.com > Messenger: grodr...@s21sec.com > > Salvo que se indique lo contrario, esta información es CONFIDENCIAL y > contiene datos de carácter personal que han de ser tratados conforme a la > legislación vigente en materia de protección de datos. Si usted no es > destinatario original de este mensaje, le comunicamos que no está > autorizado a revisar, reenviar, distribuir, copiar o imprimir la > información en él contenida y le rogamos que proceda a borrarlo de sus > sistemas. > > Antes de imprimir este mensaje valora si verdaderamente es necesario. De > esta forma contribuimos a la preservación del Medio Ambiente. > >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
