Thank you in advance for any help you can offer.
Using the Trap Viewer utility program (which I really wish was simply part of NPM, so it can flow through the same business rules and use the same alerting templating system), I have setup some very trivial test alerts. From a Sol10 Box, I use the following test alert (going to fictional server "orion_box":
snmp_trapsend -h orion_box -c public -i orion_box -a ".188.8.131.52.184.108.40.206.1.1 STRING (firefirefire)"
I have no incredibly logical reason for using that MIB other than it seems popular with the cool kids on Google. ;)
The above works for getting an alert into Trap Viewer. I'm then catching and alerting on it using the following filter rule:
SNMPv2-MIB:snmpTrapOID is equal to KERNEL-READER-SUNMANAGEMENTCENTER-MIB:prod.220.127.116.11
and have it send a simple email alert that works and looks a little like:
8/28/2009 1:25 PM : KERNEL-READER-SUNMANAGEMENTCENTER-MIB:prod.18.104.22.168 SNMP Trap
Received Time:8/28/2009 1:25:28 PM
sysUpTime:= 0.00 seconds (0)
snmpTrapOID:= KERNEL-READER-SUNMANAGEMENTCENTER-MIB:prod.22.214.171.124 (126.96.36.199.188.8.131.52.184.108.40.206)
snmpTrapEnterprise:= KERNEL-READER-SUNMANAGEMENTCENTER-MIB:prod.1.1 (220.127.116.11.18.104.22.168.1.1)
1) Is there any way to have it filter based on the String portion of the alert? I tried hand typing in "SNMPv2-MIB:mbufs.1.2.0 is equal to firefirefire" - which was not rejected by the editor, but it doesn't work.
2) What is the best way to approach this, outside of trying to define an OID for each type of user generated trap (and we're using them sparingly, but they're very important) that will be received?
3) If I do have to create my own OIDs.. can anyone suggest a best practice? Is there a defined userspace for safely creating your own universe such that it will never collide with anything you would expect to get from a vendor? (A logical equivalent to using a non-routeable IP space.)
4) Am I just missing an entirely larger picture here? :) I'm fine with that and would like to be set straight.
My alternative at this point is just to have it call a simple Perl script and setup a simple decision and alerting tree based on the origin IP and the text in the alert. I'd like to utilize the product as is, and follow what would be considered best practices by industry on this one, however.
Again, thanks for any help in advance.
PS - I did see the posting on having it shell out to a VB script to inject an artificial event into NPM/APM to allow for the alerts to be part of the normal email flow, but I'd rather not tinker with the logic of the product in such a fashion.