2 Replies Latest reply on Jan 6, 2012 4:45 AM by DDX

    Need help with SNMP trap filtering in IPMv10

      I've got an SNMP trap monitor set up so I can be notified when critical hardware issues occur. I want this monitor to implicitly capture any event sent to it and then filter out the noise that I don't care about (e.g. battery charge cycle starting, learn cycle starting in 4 days, etc.). I've got a mix of Dell and HP servers that send messages.

      My monitor is set up to accept messages from any IP, the public community, any type, and Enterprise OID of 1.3.6.1.*

      The problem I'm having is with filtering out the noise. When I enable variable binding I can do a prefix match of 1.3.6.1.4.1.674 (used by Dell servers) with a numeric type but if I use anything other than "==" to evaluate the result filtering isn't working. For example, if I choose "!=" and a value of 2180 (which is "The controller battery Learn cycle will start in 4 days.") the message is still accepted. I suspect this has to do with the fact that there are other numeric variables in the trap message which pass. For example:

      1.3.6.1.4.1.674.10893.1.20.200.1.0: TYPE[2] NUMERIC 2180
      1.3.6.1.4.1.674.10893.1.20.200.2.0: TYPE[4] TEXT "The controller battery Learn cycle will start in 4 days."
      1.3.6.1.4.1.674.10893.1.20.200.3.0: TYPE[4] TEXT "Controller 0"
      1.3.6.1.4.1.674.10893.1.20.200.4.0: TYPE[4] TEXT "Battery 0"
      1.3.6.1.4.1.674.10893.1.20.200.5.0: TYPE[4] TEXT "1.3.6.1.4.1.674.10893.1.20.130.15.1.1.1"
      1.3.6.1.4.1.674.10893.1.20.200.6.0: TYPE[4] TEXT "\\0\\0"
      1.3.6.1.4.1.674.10893.1.20.200.7.0: TYPE[2] NUMERIC 3
      1.3.6.1.4.1.674.10893.1.20.200.8.0: TYPE[2] NUMERIC 3

      I could set up variable binding on the prefix "1.3.6.1.4.1.674.10893.1.20.200.1" but that limits me to one specific set of Dell messages and forces me to set up multiple trap monitors for each prefix I care about. This defeats the purpose of having a generic monitor that I can filter out what I don't care and still receive everything else.

      FWIW I had this working perfectly in IPMv9 using the prefix "1.3.6.1.4.1.674".

      Any help on how to get this working correctly in IPMv10 is appreciated.

        • Re: Need help with SNMP trap filtering in IPMv10

          I am also struggling with this. I am filtering on OID: 1.3.6.1.4.1.674.* but this includes a lot of traps I do not want alerts on. It would be a lot easier to filter out the ones I don't want with a specific-trap option somewhere than to setup up a trap monitor for every trap I do want. There would be hundreds of monitors just for Dell traps.

          How could I allow everything in except the following trap (for instance):

          Intact SNMP Trap Accepted: time(Tue Mar 30 12:43:58 2010) src_ip(192.168.3.217)
          version: 1
          community: public
          enterprise: 1.3.6.1.4.1.674.10892.1
          agent-addr: 192.168.3.217
          generic-trap: enterpriseSpecific (6)
          specific-trap: 1001
          time-stamp: 1377
          Variable Bindings:
          1.3.6.1.4.1.674.10892.1.5000.10.1.0: TYPE[4] TEXT "CISDB4"
          1.3.6.1.4.1.674.10892.1.5000.10.2.0: TYPE[6] TEXT "0.0"
          1.3.6.1.4.1.674.10892.1.5000.10.3.0: TYPE[4] TEXT "Server Administrator startup complete"
          1.3.6.1.4.1.674.10892.1.5000.10.4.0: TYPE[2] NUMERIC 3
          1.3.6.1.4.1.674.10892.1.5000.10.5.0: TYPE[2] NUMERIC 2
          1.3.6.1.4.1.674.10892.1.5000.10.6.0: TYPE[4] TEXT ""
          0000 | 30 81 DA 02 01 00 04 06  70 75 62 6C 69 63 A4 81  |0.......public..|
          0010 | CC 06 0A 2B 06 01 04 01  85 22 D5 0C 01 40 04 C0  |...+....."...@..|
          0020 | A8 03 D9 02 01 06 02 02  03 E9 43 02 05 61 30 81  |..........C..a0.|
          0030 | AC 30 19 06 0F 2B 06 01  04 01 85 22 D5 0C 01 A7  |.0...+....."....|
          0040 | 08 0A 01 00 04 06 43 49  53 44 42 34 30 14 06 0F  |......CISDB40...|
          0050 | 2B 06 01 04 01 85 22 D5  0C 01 A7 08 0A 02 00 06  |+.....".........|
          0060 | 01 00 30 38 06 0F 2B 06  01 04 01 85 22 D5 0C 01  |..08..+....."...|
          0070 | A7 08 0A 03 00 04 25 53  65 72 76 65 72 20 41 64  |......%Server Ad|
          0080 | 6D 69 6E 69 73 74 72 61  74 6F 72 20 73 74 61 72  |ministrator star|
          0090 | 74 75 70 20 63 6F 6D 70  6C 65 74 65 30 14 06 0F  |tup complete0...|
          00A0 | 2B 06 01 04 01 85 22 D5  0C 01 A7 08 0A 04 00 02  |+.....".........|
          00B0 | 01 03 30 14 06 0F 2B 06  01 04 01 85 22 D5 0C 01  |..0...+....."...|
          00C0 | A7 08 0A 05 00 02 01 02  30 13 06 0F 2B 06 01 04  |........0...+...|
          00D0 | 01 85 22 D5 0C 01 A7 08  0A 06 00 04 00           |.."..........   |