Javier, writing from SEC to the snmptt log has one drawback -- since snmptt is also writing to this file, it is possible that write operations from SEC and snmptt will occur simultaneously, resulting in a mixture of two log lines. Therefore, sending an SNMP trap back to snmptt is certainly a better solution for the reasons of log file integrity. As for your last question, I didn't get the point exactly -- do you want to send back all traps that occur during the 5 minute suppression period? BR, risto
--- On Mon, 5/31/10, Javier <esj...@gmail.com> wrote: From: Javier <esj...@gmail.com> Subject: Re: [Simple-evcorr-users] Trap back to snmptt from sec To: "Gonzalo Rodrigo Sancho" <grodr...@s21sec.com> Cc: "simple-evcorr-users" <simple-evcorr-users@lists.sourceforge.net> Date: Monday, May 31, 2010, 1:04 PM Hi, finally i did it in a different way and it works: it writes in a second log and then i bring it back to the snmptt.log. However, it seems to do it everytime i send a trap, and don´t works my SingleWithSuppress rule like i want. It should bring back that log only once in 5 minutes, as specified in the rule. That´s how i got it: In snmptt.conf: # MIB: <MIB´s name> # # EVENT dataEvent <generic OID> "Status Events" Normal EXEC tail -1 /var/log/snmptt/snmptt.log | grep <generic OID> >> /var/log/snmptt/snmptt.sec.log FORMAT $* The rule: type=SingleWithSuppress ptype=RegExp pattern=<generic OID> (\S+) desc=estado $1 action=shellcmd /home/javier/send.sh window=300 The /home/javier/send.sh script: #!/bin/sh tail -1 /var/log/snmptt/snmptt.sec.log >> /var/log/snmptt/snmptt.log And that brings it back to the main log, but everytime i send the same trap, it´s supposed only once every 5 minutes. How can i do it to send back only one time the trap to the main log between that 5 minutes sending the same trap?. Thanks in advance 2010/5/27 Gonzalo Rodrigo Sancho <grodr...@s21sec.com> Hi Javier, So, if i understand you properly, you need to send an snmp trap back, isn't it? On this case, make a simple script (like the msg.sh) an adapt this solution to your case: snmptrap -v 1 TRAP_RECIPIENT COMMUNITY OID LOCAL_IP GENERIC_TRAP SPECIFIC_TRAP s "string goes here" .... e.g. sending from 10.1.1.1 (to 10.2.2.2): snmptrap -v 1 10.2.2.2 public .1.3.6.1.2.1.0 10.1.1.1 1 6 0 0.0.0 s "This is a test" By the way, this is for snmp v1, if you are going to use v2 check the man page of snmptrap. Regards, > Hi, > > i use snmptt to trap handle. Some of the traps that i receive, correlate > and > process with SEC with an determinate OID, i apply them a > 'SingleWithSuppress' rule and it seems to work fine. But i need to trap > back > to snmptt to show the last coincidance later and i don´t know how to do it > although i´ve seen that part in this link: > http://snmptt.sourceforge.net/docs/snmptt.shtml#SEC > > That´s how o got it: > > perl sec.pl -conf=my2.conf -input=/var/log/snmptt/snmptt.log > > my.conf: > #Show the same alert only one time in 5 minutes > type=SingleWithSuppress > ptype=RegExp > pattern=<OID_x> > desc=servicio > action=shellcmd /home/javier/msg.sh <- Only writes a log > window=300 > > > snmptt.conf: > ... > EVENT <TRAP TYPE> <OID_x> "Status Events" Normal > EXEC tail -1 /var/log/snmptt/snmptt.log | grep <OID_x> >> > /var/log/snmptt/snmptt.sec.log > FORMAT .... > > > snmptt.conf.sec: > ... > EVENT <TRAP TYPE> <OID_x> "Status Events" Normal > EXEC tail -1 /var/log/snmptt/snmptt.log | grep <OID_x> >> > /var/log/snmptt/snmptt.sec.log > FORMAT .... > > > And that´s the point where i find myself... a little bit lost. Any advice > changing or modifying any data of here, will be very appreciated. > > Thanks!! > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > Gonzalo Rodrigo Sancho Dept. Bitácora EMail: grodr...@s21sec.com Messenger: grodr...@s21sec.com Salvo que se indique lo contrario, esta información es CONFIDENCIAL y contiene datos de carácter personal que han de ser tratados conforme a la legislación vigente en materia de protección de datos. Si usted no es destinatario original de este mensaje, le comunicamos que no está autorizado a revisar, reenviar, distribuir, copiar o imprimir la información en él contenida y le rogamos que proceda a borrarlo de sus sistemas. Antes de imprimir este mensaje valora si verdaderamente es necesario. De esta forma contribuimos a la preservación del Medio Ambiente. -----Inline Attachment Follows----- ------------------------------------------------------------------------------ -----Inline Attachment Follows----- _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users