SNMP Trap Variable Bindings

bshopp over 13 years ago 2 minute read time

Technorati Tags: SolarWinds,SolarWinds Orion,SolarWinds Orion NPM,SNMP Traps,Variable Binding

We added a feature back in Orion NPM 10, however, over time I have gotten this questions from folks and seen posts on thwack come up asking if you could do this in Orion and if so, how?

Background on the problem people are trying to solve:

An SNMP Trap sent from a device is a general blob of data with some standard data followed by vendor defined information called variable bindings; see the example below for how this looks.

These traps have additional information sent with them called variable bindings. These extra variables contain information relating to the trap and ya’ll don’t want to have to visually parse each trap manually. What you have asked for is some sort of variable notation allows the capability to format and display these variable bindings as needed.

With this ability you can format an email notification with the separate variable bindings. So instead of receiving an email with the block of text below in the example, you can get only the specific information you care about.

An example of of our community members posted on thwack was this.

What I want is the "apSvcTrapEventText" line with just "Service:test State:suspended" in the email. How do I format the email text to get it?

When creating the email notification template in Orion, you can do something like this below, where ${vbdata3} equals the value associated with the third listed trap variable.

${DateTime}

${Caption} - ${vbdata3}

Example:

03/08/2011 08:20 : ARROWPOINT-SVCEXT-MIB:apSvcTransitionTrap SNMP Trap
Received Time:3/8/2011 8:20:32 AM
Source:192.168.49.174(192.168.49.174)
Community:marcnet
Variable Bindings
sysUpTime:= 2 days 13 hours 35 minutes 55.25 seconds (22175525)
snmpTrapOID:= ARROWPOINT-SVCEXT-MIB:apSvcTransitionTrap (1.3.6.1.4.1.9.9.368.1.15.1.0.1)
apSvcTrapEventText:= Service Transition - Service:test State:suspended

Let’s walk through an example of this in the product.

On the Orion server, open the SNMP Trap Viewer
As you can see I have a specific trap, but I don’t want all the information included within it, I just want SysUpTime
Create a new trap rule in the SNMP Trap Viewer and define your filters to narrow down to the specific trap you are interested in. In this example, I did it by IP Address.
On the Alert Actions tab, select add a new alert action. I chose log to a file, but this would work with the others as well, including email
In the dialog “Message to Log File” I entered in three variable.
- Date/Time Stamp
- Name of the first trap variable
- Value of the first trap variable
In my text file I chose to log to, there is an entry for each trap I have received that matched this rule. As you can see, instead of getting the entire trap message, I only get the value as defined by my variables in step #5 above.

That’s it, pretty straight forward.

Garrison over 4 years ago

I'm resurrecting an old thread but it helped me so I wanted to clarify a point that it took me a little bit to work out. I couldn't figure out how to assign the variables for ${vbdata1}, ${vbdata2}, etc till I looked at my unformatted trap output. I wanted my email messages to come with a header to tell me the Node Name and Interface Name for an interface that is going down. As it turns out, I can get the Node Name from the standard variable ${Caption}, but figuring out the ${vbdataX} variable was harder.
Here's my final output:
IF-MIB:linkDown : 10/21/2019 1:34 PM
Node: hqgymlabtor11 / 192.168.0.140
Interface: GigabitEthernet1/0/9
SNMP Trap
     Received Time:10/21/2019 1:34:11 PM
Source:192.168.0.140(hqgymlabtor11)
     Community:
     Variable Bindings
           sysUpTime:= 298 days 23 hours 4 minutes 52.89 seconds (2583029289)
           snmpTrapOID:= IF-MIB:linkDown (1.3.6.1.6.3.1.1.5.3)
           ifIndex.10109:= 10109
           ifDescr.10109:= GigabitEthernet1/0/9
           ifType.10109:= 6
           locIfReason.10109:= down
NOTE: This message will not show up in the All Alerts page. To edit it, log onto server hapsworion01 and launch the Trap Viewer.
I finally figured out that ${vbdata1} is the first value after the := under Variable bindings, in other words, "298 days, 23 hours ... ", etc. ${vbdata2} is the second line, or "IF-MIB:linkDown ...". So to get my interface name, I needed ${vbdata4} in my heading.
My template looks like this:
${MESSAGETYPE} : ${DateTime}
Node: ${Hostname} / ${IP}
Interface: ${vbdata4}
${MESSAGE}
NOTE: This message will not show up in the All Alerts page. To edit it, log onto server hapsworion01 and launch the Trap Viewer.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
du243 over 9 years ago

this worked very well , I used colorcode to get alerts
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
mavturner over 11 years ago

Thanks for the feedback Ianbldr. You are correct, this is not possible today. I've opened an item to track this request.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
lanbldr over 11 years ago

Very helpful, but also limited. Some devices I am monitoring via traps send the variable bindings in different numbers and order for different events. So for APC UPS alerts, ${vbdata1} contains the actual event description, but for the enviroment probe on the UPS is stuffs four probe-related varbinds ahead of that and I need ${vbdata5}. I've resorted to filtering on a range of OIDs that I happen to know are environment alarms and set up a completely different alarm for those, and excluded them from the power alarms, but it sure would be easier (and more reliable) if we could grab the varbind by its name instead of its relative placement in the trap message. In the case of APC, the field is named mtrapargsString for all traps. It would be awesome to be able to just put ${mtrapargsString} in the alarm message along with ${Date} and ${LongTime}. Or is this possible and I missed it?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel