Dear all, our Checkpoint Management platform is configured to send traps to spectrum. Unfortunately the traps are somewhat cryptic. The event messages reads like that :
Unknown alert received from device ckpt-sc-ek1 of type Host_Device. Device Time 2+08:35:01. (Trap type 1.3.6.1.4.1.2620.1.1.6.0) Trap var bind data: OID: 1.3.6.1.4.1.2620.1.1.11.0 Value: 31.31.4F.63.74.32.30.31.31.20.20.39.3A.31.31.3A.34.37.20.20.20.20.20.20.20.20.63.6B.70.74.2D.73.63.2D.65.6B.31.20.3C.20.20.20.20.73.6E.6D.70.74.72.61.70.20.53.79.73.74.65.6D.20.41.6C.65.72.74.20.6D.65.73.73.61.67.65.3A.20.41.20.46.69.72.65.77.61.6C.6C.20.50.6F.6C.69.63.79.20.68.61.73.20.62.65.65.6E.20.73.75.63.63.65.73.73.66.75.6C.6C.79.20.69.6E.73.74.61.6C.6C.65.64.20.6F.6E.20.68.67.2D.66.77.32.2D.64.32.30.2D.6E.65.75.3B.20.4F.62.6A.65.63.74.3A.20.68.67.2D.66.77.32.2D.64.32.30.2D.6E.65.75.3B.20.45.76.65.6E.74.3A.20.43.68.61.6E.67.65.3B.20.50.61.72.61.6D.65.74.65.72.3A.20.70.6F.6C.69.63.79.5F.74.69.6D.65.3B.20.43.6F.6E.64.69.74.69.6F.6E.3A.20.63.68.61.6E.67.65.73.20.54.68.75.20.53.65.70.20.32.32.20.31.34.3A.34.36.3A.30.35.20.32.30.31.31.3B.20.43.75.72.72.65.6E.74.20.76.61.6C.75.65.3A.20.54.75.65.20.4F.63.74.20.31.31.20.30.38.3A.31.30.3A.35.37.20.32.30.31.31.3B.20.70.72.6F.64.75.63.74.3A.20.53.79.73.74.65.6D.20.4D.6F.6E.69.74.6F.72.3B.A OK, the "Value" seems to be Hex Code which needs to be translated into ASCII, which results to "131Oct2011 9:11:47 ckpt-sc-ek1 < snmptrap System Alert message: A Firewall Policy has been successfully installed on hg-fw2-d20-neu; Object: hg-fw2-d20-neu; Event: Change; Parameter: policy_time; Condition: changes Thu Sep 22 14:46:05 2011; Current value: Tue Oct 11 08:10:57 2011; product: System Monitor;%A" What needs to be done to convert that into a Spectrum Alarm ? The mail below (7 years old !) is the only thing I found about that problem, but I never heared about a solution. Any ideas are welcome. Best regards, Bernd Von: <[email protected]> An: "spectrum" <[email protected]> Datum: 15.12.2004 12:53 Betreff: [spectrum] Alertmap REGEX Syntax Hi, We have a bunch of Checkpoint firewalls which snmptraps events thru a management station. As you can see in the message inserted below, all data comes semicolon separated under one OID. This makes my life more complicated. It is also nice, that the little sucker sometimes put more than one event into same trap (as you can see in the event) -------------------------------------------------------------------------- Date/Time: Tue 14 Dec 2004 10:17:14 Model Name: test Model Type: Pingable Event Code: 0x00010801 User Name: Event Message: Unknown alert received from device test of type Pingable. Device Time . (Trap type 1.3.6.1.4.1.2620.1.1.6.0 OID: 1.3.6.1.4.1.2620.1.1.11.0 Value: 14Dec2004 10:17:11 129.178.2.38 < snmptrap product: System Monitor; System Alert message: A FireWall-1 Policy has been successfully installed on fwri002-new; Object: 192.168.159.10; Event: Change; Parameter: FireWall-1 Policy install time; Condition: changes ; Current value: Tue Dec 14 10:17:05 2004; 14Dec2004 10:17:11 129.178.2.38 < snmptrap product: System Monitor; System Alert message: A FireWall-1 Policy has been successfully installed on fwgr002-new; Object: 192.168.159.11; Event: Change; Parameter: FireWall-1 Policy install time; Condition: changes ; Current value: Tue Dec 14 10:13:37 2004; -------------------------------------------------------------------------- Now, I know I can handle this using Alertmap REGEXP features, to search for patterns. Here are 6 patterns I need to find in the datafield. Maybe someone of you Spectrumers know the regex Alertmap syntax for it. If data contain: "Event: Exception" and "disconnected" = Critical "Event: Exception" and "Not installed" = Critical "Event: Exception" and "more than" = Critical "Event: Exception" and "less than" = Critical "Event: Change" and "FireWall-1 Policy install time" = Warning "Event: Change" and "FireWal-1 Policy name" = Warning Anyone? Or do I have to drag myself thru the manual (again ;) \Roberth ----------------------------------------------------------------------- Roberth Edberg System Architect & Spectrum Specialist SEB IT Service Web: http://www.seb.se Systems Management E-mail: [email protected] Rissneleden 110 Voice: +46 8 639 30 42 SE-106 40 Stockholm Mobile: +46 70 509 30 42 SWEDEN Fax: +46 8 706 60 25 ----------------------------------------------------------------------- - "Did you know that the first Matrix was designed to be a perfect human world, where none suffered; where everyone would be happy. It was a disaster. No one would accept the program. Entire crops were lost. Some believed that we lacked the programming language to describe your perfect world, but I believe that as a species, human beings define their reality through misery and suffering. So the perfect world we dreamed, but your primitive cerebrum kept trying to wake up from Which is why The Matrix was redesigned to this...the peak of your civilization." / Agent Smith {The Matrix} --- To unsubscribe from spectrum, send email to [email protected] with the body: unsubscribe spectrum [email protected] --- To unsubscribe from spectrum, send email to [email protected] with the body: unsubscribe spectrum [email protected]
