Nagios 9I : ;o* to !

onfigure SNMPTT < Monitor Net*or= E>ents "sing SNMP Traps

The Industry Standard in IT Infrastructure Monitoring
Purpose
This document describes how to configure Nagios XI to receive and process SNMP traps. Monitoring SNMP traps allows system administrators to monitor real-time events and networ incidents in order to ensure an accurate and healthy monitoring environment.

Target Audience
This document is intended for use by Nagios administrators loo ing to integrate SNMP traps into their monitoring configuration to gain greater insight into their IT infrastructure.

Requirements
!sers must be running Nagios XI "##$%&.&' or later to use the instructions and wi(ards described in this document. )dministrators will need to be familiar with configuring networ devices to trigger event-based alerts and finding*installing vendor-specific MI+s.

Automated Installation
The steps re,uired to install and configure SNMP traps with Nagios XI can be accomplished by using a few custom binaries along side the default snmptt pac age. -ollow the steps below to install the appropriate components and configure Nagios XI to accept SNMP traps. Step &. /ogin to the Nagios XI server as the root user Step ". 0ownload the automated installation script to the *tmp directory using the terminal. $ cd /tmp $ wget http://assets.nagios.com/downloads/support/snmptrap-bins.tar.bz2 Step 1. 23tract the b(ip file and change directory. $ tar xjf snmptrap-bins.tar.bz2 $ cd snmpbins/ Step 4. 5opy the files to the appropriate directory. $ cp ./* /usr/local/bin/ Step 6. Install the default snmptt pac age. $ yum install snmptt -y Step 7. 2dit *etc*snmp*snmptt.ini and modify the following lines. $ i /etc/snmp/snmptt.ini

8ithin the .ini file9 change the following lines. mode = standalone to mode = daemon log_system_enable = 0 to log_system_enable = 1 unknown_trap_log_enable = 0 to unknown_trap_log_enable = 1

Nagios Enterprises, ! P+'+ ,o- %1./ Saint Paul, MN ..10% "SA

"S# 1$%%%$NA&I'S$1 Int1l# 21 3.1$40/$5104 7a-# 21 3.1$40/$5108

(e)# ***+nagios+com Email# sales6nagios+com

Page 1
5opyright : "#&1 Nagios 2nterprises9 //5 %evision &.# ; 0ecember9 "#&1

Nagios 9I : ;o* to !onfigure SNMPTT < Monitor Net*or= E>ents "sing SNMP Traps
Step <. 5reate *etc*snmp*snmptrapd.conf and add the following lines. $ i /etc/snmp/snmptrapd.conf

disableAuthorization yes traphandle default /usr/sbin/snmptthandler Step =. )dd the snmptt user to the nagios and nagcmd groups. $ usermod -a -! nagcmd snmptt $ usermod -a -! nagios snmptt Step $. Start the snmptt and snmptrapd services. $ ser ice snmptrapd start $ ser ice snmptt start This completes the install for snmptt and snmptrapd daemons to receive and process traps on the Nagios XI system. The basics needed to forward traps as passive results to Nagios are also there9 but may need some additional configuration depending on your environment9 as described below.

Intermediary 7ire*alls
+efore you can configure remote devices to send SNMP traps to Nagios XI you will have to configure any intermediary firewalls between the Nagios XI server and the remote device to allow inbound SNMP traps to be sent to Nagios XI. This involves allowing !0P port &7" traffic from remote devices to the Nagios XI server9 which may include iptables on the sending device and nagios server9 and any firewalls between them. To alter the iptables rules9 use your favorite te3t editor to edit /etc/sysconfig/iptables >default location for 5ent?S systems@. Aou will need to repeat all of these steps on each /inu3 machine with the e3ception of which rules get added to the iptables file. $ ser ice iptables stop $ i /etc/sysconfig/iptables Remote Ser>er Rules# +y default iptables allows all outgoing traffic9 however you can add the following lines to the ?!TP!T )552PT section. -" #$%&$% -p udp --dport '(2 -j "))*&% Nagios Ser>er Rules# )dd the following line to the INP!T )552PT section. -" +,&$% -p udp --dport '(2 -j "))*&% ?nce you have saved the changes to the iptables file9 you need to restart the iptables service. $ ser ice iptables start %emember that unli e with most chec s9 Nagios XI is the server >rather than the client@ for SNMP traps9 so the pac et flow is inbound to the Nagios XI machine.

Nagios Enterprises, ! P+'+ ,o- %1./ Saint Paul, MN ..10% "SA

"S# 1$%%%$NA&I'S$1 Int1l# 21 3.1$40/$5104 7a-# 21 3.1$40/$5108

(e)# ***+nagios+com Email# sales6nagios+com

Page 4
5opyright : "#&1 Nagios 2nterprises9 //5 %evision &.# ; 0ecember9 "#&1

Nagios 9I : ;o* to !onfigure SNMPTT < Monitor Net*or= E>ents "sing SNMP Traps
Installing MI,s
Aou may need to configure snmptt on the Nagios XI server to use the MI+s your remote devices are using. This may mean having to load e3tra MI+s into the /usr/share/snmp/mibs/ directory on the Nagios XI server. This can be done through the XI interface by browsing to the Admin B Manage MI,s page via the top navigation bar. Aou will then also have to run the following command to import each new MI+ into the /usr/share/snmp/mibs/ directory. %emember to replace -&ath%o,ew.+/0 with the path to the MI+ file you want to import. $ addmib <PathToNewMIB>

Ad?usting Trap Se>erity

2dit the Trap Translator configuration file located at /etc/snmp/snmptt.conf and alter the severity of each EVENT to match your personal needs. The default severity level is CNormalD >e,uivalent to an C?ED state in Nagios@. Aou may want to change some events to have a C8arningD or C5riticalD severity level >e,uivalent to C8arningD and C5riticalD states in Nagios9 respectively@. ) severity level of CFN)GD maps to an C!n nownD state in Nagios. In order to get things wor ing the way you want9 you will have to modify the snmptt.conf file. In the e3ample that follows later in this document9 the line in snmptt.conf reads. *1*,% lin23own .'.4.(.'.(.4.'.'.5.4 67tatus * ents6 ,ormal It was changed to. *1*,% lin23own .'.4.(.'.(.4.'.'.5.4 67tatus * ents6 )ritical The configuration file is defined as follows. *1*,% describes which attribute is being set lin23own is the name of the event .'.4.(.'.(.4.'.'.5.4 is the OID >?bHect Identifier@ for that type of event ,ormal or )ritical is the severity level.

-or more information on ?I0s and what a given number is for9 see http.**www.oid-info.com*. Aou are encouraged to submit descriptions for any ?I0s you now that are not in the repository yet. Not all event names will be as obvious as lin 0own9 so you may need to do some research to figure out what to use in your configuration. The MI+s you use may come with documentation that describes what event names can be used. If you would li e to read more about the format of the snmptt.conf file9 detailed documentation is available from the upstream proHect on Source-orge9 at http://snmptt.sourceforge.net/docs/snmptt.shtml#SNM TT.!ON"#!onfiguration#file#format.

Installing The SNMP Trap (i@ard A7or users running Nagios 9I 4014 r1+0 and earlierB
This section only applies to users running Nagios XI "#&" r&.# and earlier. If you are using a later version you can s ip this section as the SNMP Trap 8i(ard comes pre-installed on your system. If you need to install the SNMP Trap 8i(ard9 you can find the wi(ard by searching on the Nagios 23change at. http://e$change.nagios.org/director%/&ddons/!onfiguration/!onfiguration#'i(ards To install the wi(ard in Nagios XI9 use the "pload option on the monitoring wi(ard administration screen. Aou would do this via the Admin B Manage (i@ards page and uploading the snmp trap *i@ard+@ip that was downloaded.

Nagios Enterprises, ! P+'+ ,o- %1./ Saint Paul, MN ..10% "SA

"S# 1$%%%$NA&I'S$1 Int1l# 21 3.1$40/$5104 7a-# 21 3.1$40/$5108

(e)# ***+nagios+com Email# sales6nagios+com

Page 8
5opyright : "#&1 Nagios 2nterprises9 //5 %evision &.# ; 0ecember9 "#&1

Nagios 9I : ;o* to !onfigure SNMPTT < Monitor Net*or= E>ents "sing SNMP Traps
"sing The SNMP Trap (i@ard
2ach host or device that you wish to receive and process SNMP traps for must have a corresponding SNM )Traps service defined in Nagios XI. Nagios XI has a built-in wi(ard that ma es the configuration of these SNMP trap events ,uic and simple. To begin using the SNMP Trap 8i(ard navigate to the !onfigure B Run the Monitoring (i@ard page via the top navigation bar9 and select SNMP Trap (i@ard+ The first screen says CThis wi(ard allows you to enable SNMP Traps for e3isting hosts that are being monitoredD9 select ne3t. The wi(ard will then as you which host you wish to add an SNMP trap service. 8hen you have selected all the hosts you want9 select ne3t. Aou can now select finish if the default notifications options suit your needs9 otherwise continue through with the last three pages pertaining to notification and group options.

SNMP Trap E-ample

)s an e3ample of how SNMP traps can be used in Nagios XI9 we have a simulated environment using a Netgear 2thernet switch capable of sending SNMP traps. )t the start of our tests Nagios XI reported that everything was o ay with the switch.

) patch cable was unplugged from the switch to simulate a networ failure. This resulted in the switch sending a trap to Nagios XI >of type lin=Co*n@ which we had defined as 5ritical severity.

Nagios Enterprises, ! P+'+ ,o- %1./ Saint Paul, MN ..10% "SA

"S# 1$%%%$NA&I'S$1 Int1l# 21 3.1$40/$5104 7a-# 21 3.1$40/$5108

(e)# ***+nagios+com Email# sales6nagios+com

Page /
5opyright : "#&1 Nagios 2nterprises9 //5 %evision &.# ; 0ecember9 "#&1

Nagios 9I : ;o* to !onfigure SNMPTT < Monitor Net*or= E>ents "sing SNMP Traps
8e then re-attached the patch cable to the switch. The results show the SNMP trap service in an ?E state with a event type lin="p in Nagios XI9 indicating things were o ay again.

Asynchronous E-ample
)n important point to stress with SNMP traps is that they are asynchronous events that can occur at any time. Thus9 they are not actively chec ed by Nagios XI on a regular schedule >e.g. by polling@. Aou can see this type of asynchronous behavior demonstrated in the se,uence of screen-shots below. )t the start of the e3ample9 Port < is connected and up.

)n SNMP trap fires as soon as the cable on Port < is unplugged. The ort)*)Status service does not reflect this yet9 as it has not been chec ed by Nagios XI since the cable was unplugged.

) scheduled chec of the ort)*)Status)service occurs and reflects the down state of Port <.

Nagios Enterprises, ! P+'+ ,o- %1./ Saint Paul, MN ..10% "SA

"S# 1$%%%$NA&I'S$1 Int1l# 21 3.1$40/$5104 7a-# 21 3.1$40/$5108

(e)# ***+nagios+com Email# sales6nagios+com

Page .
5opyright : "#&1 Nagios 2nterprises9 //5 %evision &.# ; 0ecember9 "#&1

Nagios 9I : ;o* to !onfigure SNMPTT < Monitor Net*or= E>ents "sing SNMP Traps
8hen the cable is plugged bac in to the switch9 an SNMP trap is fired off and the SNM )Traps service finds out first.

) few minutes later9 a scheduled Nagios chec of the ort)*)Status)service occurs and the status reflects the up state of Port <.

This e3ample shows how the use of SNMP traps in your monitoring environment can increase your insight of real-time networ events as well as improve response time to networ incidents.

Trou)leshooting
SNMP traps can get very complicated and generally re,uire some nowledge and troubleshooting to get wor ing Hust the way you want. 'ere is an outline of a general troubleshooting for SNMP traps. Please note that if you are attempting to use this troubleshooting guide without referring to the above install script9 your battle will be uphill as the script enables various aspects of snmptt that we will use e3haustively. -irst thing that is helpful is a separate server that we can send test traps from9 this can also be done from the Nagios server although it will not validate any firewall rules that may be in place. The use of this server will be ephemeral. The command we will use is. snmptrap ?n the test-trap-sending host >N?T the Nagios XI host@ weIll need a MI+ to use to send a test SNMP trap. This MI+ was ta en from the net-snmp tutorial. AouIll need to create a te3t file called !50-T%)P-T2ST-MI+.t3t in the directory *usr*share*snmp*mibs. In that file youIll need to copy some te3t into it. $ cd /usr/share/snmp/mibs $ i $)3-%8"&-%*7%-.+/.txt DD !opy the te-t )elo* DD $)3-%8"&-%*7%-.+/ 3*9+,+%+#,7 ::: /*!+, +.&#8%7 ucd*xperimental 98#. $)3-7,.&-.+/; demotraps #/<*)% +3*,%+9+*8 ::: = ucd*xperimental >>? @ demo%rap %8"&-%A&* *,%*8&8+7* demotraps 1"8+"/B*7 = sysBocation @ 3*7)8+&%+#, 6"n example of an 7.+ ' trap6 ::: 'C *,3 DD End te-t copy DD

Nagios Enterprises, ! P+'+ ,o- %1./ Saint Paul, MN ..10% "SA

"S# 1$%%%$NA&I'S$1 Int1l# 21 3.1$40/$5104 7a-# 21 3.1$40/$5108

(e)# ***+nagios+com Email# sales6nagios+com

Page 3
5opyright : "#&1 Nagios 2nterprises9 //5 %evision &.# ; 0ecember9 "#&1

Nagios 9I : ;o* to !onfigure SNMPTT < Monitor Net*or= E>ents "sing SNMP Traps
Now comes the part where we actually send a trap to our Nagios XI host. In the terminal on your test-trap-sending host9 enter the following. snmptrap - ' -c public -,"!+#7 D+ 7*81*8 +&0 $)3-%8"&-%*7%-.+/::demotraps E 66 ( 'C 66 7,.& 2-.+/::sysBocation.? s 6Fere6 This will send an SNMP trap to your Nagios XI server. %emember to replace FN)JI?S XI S2%K2% IPG with the IP address of your Nagios server. Now that youIve sent the test trap9 you should chec a few things to ma e sure its all wor ing. -irst off9 this MI+ that we added to the test-trap-sending host does not e3ist on our Nagios XI server. 8hen the trap gets to the Nagios XI server9 it will try to identify the trap by running it against the MI+s in its library. Since the MI+ does not e3ist on the Nagios XI server9 it canIt identify it and it will dump the trap to the snmpttun2nown.log9 which is where we will chec . To chec this log open a terminal on the XI server and run the command below. i / ar/log/snmptt/snmpttun2nown.log There should be logs of your test SNMP trap here. If there is not9 ma e sure that there is not some intermediary firewall in the way. 5hec to ma e sure iptables is allowing traffic through on ports &7& and &7". 0o not progress past this point until you are able to get this test trap. If you are able to receive a trap9 you are ready to start capturing real SNMP traps. Monitor / ar/log/snmptt.log for SNMP traps that are coming in. )lso ma e sure that traps are not getting relegated to un nown status by eeping an eye on snmpttun2nown.log. If you are seeing traps in your / ar/log/snmptt.log but cannot locate them within your Nagios XI system9 it may be that you have not set up your SNMP Traps service for the remote host sending the traps. These traps will continue to be collected in Nagios XI. To view them9 navigate within the XI web-interface. AdminE Monitoring !onfig E "nconfigured ')?ects. Aou can either set up the SNMP Traps service using the wi(ard or by clic ing on the blue triangle under actions.

!losing Notes
SNMP traps are a great method for monitoring asynchronous events in your IT infrastructure. The comple3ity of managing MI+s and the intricacies of the SNMP protocol can often be daunting9 but if you get familiar with the in and outs of SNMP9 it can be a powerful addition to your IT infrastructure management and allow for advanced9 real-time networ event monitoring. -or any support related ,uestions please visit the Nagios Support 7orums at. http.**support.nagios.com*forum*

Nagios Enterprises, ! P+'+ ,o- %1./ Saint Paul, MN ..10% "SA

"S# 1$%%%$NA&I'S$1 Int1l# 21 3.1$40/$5104 7a-# 21 3.1$40/$5108

(e)# ***+nagios+com Email# sales6nagios+com

Page F
5opyright : "#&1 Nagios 2nterprises9 //5 %evision &.# ; 0ecember9 "#&1