Network: Forwarding SNMP Traps by mail with snmptrapd and snmptt

Hi,

this post describes a simply way to forward all traps by E-Mail received via SNMP.

This process is splited in several steps

Receive the traps => snmptrapd
snmptrapd calls the trapshandler script after each received trap. The trap details are handed over to the script by STDIN
The trap handler is /usr/sbin/snmptthandler. This script spools all traps to /var/spool/snmptt
The snmptt gets the traps from the spool folder, translate them in a human readable format and calls a custum script defined by snmptt.conf

First of all setup a debian system and install all requiered packages.

michael@debdev ~ # sudo su -
root@debdev ~ # apt install snmp snmptrapd snmptt libsnmp-perl
root@debdev ~ # apt update && apt upgrade

Edit /etc/snmp/snmptrapd.conf.
Set the community, udp port and the traphandler. Traphandler is the command snmptrapd passes its revceived traps by STDIN.
authcommunity log,execute,net MyCommunity snmpTrapdAddr udp:162 traphandle default /usr/sbin/snmptthandler
For snmptt snmptrapd output needs to be adjusted with an additional command line parameter: Copy the default systemd startup script and add the -On (Displays the OID numerically and symbolic) switch.

root@debdev ~ # cp /usr/lib/systemd/system/snmptrapd.service /etc/systemd/system
root@debdev ~ # vi /etc/systemd/system/snmptrapd.service
root@debdev ~ # systemctl daemon-reload
root@debdev ~ # systemctl enable snmptrapd

... ExecStart=/usr/sbin/snmptrapd -LOw -Lf /var/log/snmptrapd.log -On -f -p /run/snmptrapd.pid ...
snmptt converts the SNMP Traps into a readable string by its OIDs. To translate the OIDs into a string snmptt needs the related MIB files from the vendor and the standard (RFC) MIBs. A good starting point is the circitor.fr repository.

Create a directory for additional mibs (default directory /usr/share/snmp/mibs and /usr/share/snmp/mibs/iana)

root@debdev ~ # mkdir -p /var/lib/trapprocessing/mibs
root@debdev ~ # chown -R michael /var/lib/trapprocessing/mibs

This script tries to download all.
Get the website. Extract all links.

michael@debdev ~ # wget http://www.circitor.fr/Mibs/Mibs.php -O /tmp/circitor.fr.html
michael@debdev ~ # grep '<a href="Html/' /tmp/circitor.fr.html > /tmp/circitor.fr_links_only.html

Build the whole URL list for all MIBs from an the downloaded html file (as of 31.05.2023)
Replace <a href=”Html/ with https://www.circitor.fr/Mibs/Mib/

michael@debdev ~ #  sed -i -e's/<a href="Html\//https:\/\/www.circitor.fr\/Mibs\/Mib\//g' circitor.fr_links_only.html

Replace .php”>[A-Za-z0-9-]+?</a><br> with .mib

michael@debdev ~ # sed -i -e's/.php">[A-Za-z0-9-]\+<\/a><br>/.mib/g' circitor.fr_links_only.html

circitor.fr_links_only.html should now contains a list to all mibs

michael@debdev ~ # cat circitor.fr_links_only.html
...
https://www.circitor.fr/Mibs/Mib/Z/ZYXEL-SUBNET-BASED-VLAN-MIB.mib
https://www.circitor.fr/Mibs/Mib/Z/ZYXEL-SYS-MEMORY-MIB.mib
https://www.circitor.fr/Mibs/Mib/Z/ZYXEL-SYSLOG-MIB.mib
https://www.circitor.fr/Mibs/Mib/Z/ZYXEL-SYSTEM-MGMT-MIB.mib
https://www.circitor.fr/Mibs/Mib/Z/ZYXEL-SYSTEM-MIB.mib

...

Download the whole list to /var/lib/trapprocessing/mibs

michael@debdev ~ # mkdir -p /var/lib/trapprocessing/mibs
michael@debdev ~ # wget -i circitor.fr_links_only.html -w 5 -P /var/lib/trapprocessing/mibs

Contact your hardware vendor for any device specific MIBs.

Then set the path(es) and tell snmp backend to use all mibs. If you have MIBs in other pathes append it to the list.

Edit /etc/snmp/snmp.conf
mibs +ALL printNumericOids 1 mibdirs /var/lib/trapprocessing/mibs:/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf

Then define a simple script snmptt calls after the conversion. This script can be modified to send mail etc.. later.

michael@debdev ~ # vi /var/lib/trapprocessing/trapprocessing.sh

The file /var/lib/trapprocessing/trapprocessing.sh simply appends all received traps to a file

#!/bin/bash
echo ########################################################################## >> /tmp/vars.txt
echo $@ >> /tmp/traps.txt

Now adjust the snmptt ini file /etc/snmp/snmptt.ini. At least:
mibs_environment = ALL net_snmp_perl_enable = 1 unknown_trap_log_enable = 1 duplicate_trap_window = 300

If you want to use snmptt in daemon mode and want to receive traps by snmptthandler then mode = daemon in snmptt ini must be set.
mode = daemon

Enable unknown_trap_log_enable so that missing MIB can be indentified otherwise the unknown traps will be dropped. duplicate_trap_window is also meaningful It groups same traps (recognized by a MD5 Hash) and send only 1one of the in the duplicate_trap_window (in seconds) time range.

From the MIB files (downloaded and the ones delivered with debian) create a snmptt.conf file.
The file is required from translating OID into a message and to define a script (here /var/lib/trapprocessing/trapprocessing.sh) which is called after the translation.
The properties send top the script can be set by $xx variables. See the whole list here.
If you call snmpttconvertmib multiple times it always appends to /etc/snmp/snmptt.conf. So if you want to create a new one you have to delete it before.

root@debdev ~ # mv /etc/snmp/snmptt.conf /etc/snmp/snmptt.conf.org
root@debdev ~ # find -name /var/lib/trapprocessing/mibs -name /usr/share/snmp/mibs -name /usr/share/snmp/mibs/iana  -exec snmpttconvertmib --in {} --out=/etc/snmp/snmptt.conf --net_snmp_perl --exec '/var/lib/trapprocessing/trapprocessing.sh $x $X $r $ar $D $C $s $O $o $E $e' \;

Then enable the snmptt daemom

root@debdev ~ # systemctl enable snmptt

Test

michael@debdev ~ # snmptrap -v 2c -c MGMTRD3 127.0.0.1 .1.3.6.1.6.3.1.1.5.3 .1.3.6.1.6.3.1.1.5.3 ifIndex i 2 ifAdminStatus i 1 ifOperStatus i 2

Logfiles Throubleshooting

snmptrapd -> /var/log/snmptrapd.log
snmptt -> /var/log/snmptt/snmptt.log and /var/log/snmptt/snmpttunknown.log

Michael

Michls Tech Blog

Network: Forwarding SNMP Traps by mail with snmptrapd and snmptt

Leave a Reply Cancel reply

My Knowledgebase for things about Linux, Windows, VMware, Electronic and so on…