Highlighted
Honored Contributor.
Honored Contributor.
1128 views

SNMP Flex parser

Good morning everyone,

I'm trying to develop a parser for the "SNMP Unified" connector. The device we are trying to get into ArcSight is an Allot network device. I'm fine with the development of the parser itself:

[snmp]# cat sdksnmp.1.snmptrap.properties

# Mapper file

#

token.count=4

token[0].name=alarmSeverity

token[0].type=String

token[1].name=alarmDescription

token[1].type=String

token[2].name=alarmTimestamp

token[2].type=String

token[3].name=alarmIndex

token[3].type=String

additionaldata.enabled=true

event.detectTime=__longToTimeStamp(alarmTimestamp)

event.eventName=alarmDescription

event.deviceSeverity=alarmSeverity

event.deviceCustomString1Label=__stringConstant("Alarm Index")

event.deviceCustomString1=alarmIndex

event.deviceVendor=__getVendor("Allot")

event.deviceProduct=__stringConstant("NX")

severity.map.veryhigh.if.deviceSeverity=3

severity.map.high.if.deviceSeverity=4

severity.map.medium.if.deviceSeverity=5

severity.map.low.if.deviceSeverity=6

severity.map.verylow.if.deviceSeverity=0,1,2

The problem is I don't know where to place the files and how to name them. I feel the documentation is not clear about this point.

Please, find below the entry in the log:

[2016-05-06 06:52:42,738][INFO ][default.com.arcsight.agent.loadable.agent._UnifiedSNMPTrapConnector][processSNMPTrap] Trap type [1] not configured.

[2016-05-06 06:52:42,739][INFO ][default.com.arcsight.agent.b_.a.b$c][doStart()] received v1/v2c/v3 trap: Trap [varbinds={1.3.6.1.4.1.2603.10.2.1.1.9.172.18.47.226.14.0.7.0=VarBind [oid=1.3.6.1.4.1.2603.10.2.1.1.9.172.18.47.226.14.0.7.0, type=OctetString, value=172.18.47.226.14.0.0], 1.3.6.1.4.1.2603.10.2.1.1.8.172.18.47.226.14.0.7.0=VarBind [oid=1.3.6.1.4.1.2603.10.2.1.1.8.172.18.47.226.14.0.7.0, type=Counter64, value=1462513988000], 1.3.6.1.4.1.2603.10.2.1.1.7.172.18.47.226.14.0.7.0=VarBind [oid=1.3.6.1.4.1.2603.10.2.1.1.7.172.18.47.226.14.0.7.0, type=OctetString, value=Link INTERNAL2 is down: admin status is up and operational state is down], 1.3.6.1.4.1.2603.10.2.1.1.6.172.18.47.226.14.0.7.0=VarBind [oid=1.3.6.1.4.1.2603.10.2.1.1.6.172.18.47.226.14.0.7.0, type=Integer32, value=4]}, timestamp=21188740, agentAddress=hostname.domain/111.222.111.222, genericCode=6, specificCode=1, enterpriseId=1.3.6.1.4.1.2603.10]

[2016-05-06 06:52:42,740][INFO ][default.com.arcsight.agent.loadable.agent._UnifiedSNMPTrapConnector][processSNMPTrap] Unable to process trap (not configured) [occurence #1]:

Received SNMPv2 trap

        Port : 1162

        Generating Agent : hostname.domain/111.222.111.222

        Sending Agent : 222.111.222.111/161

        Time Stamp : 21188740

        Enterprise OID : 1.3.6.1.4.1.2603.10

        Trap Type : 1

        Var Binds:4

VarBind #0

        1.3.6.1.4.1.2603.10.2.1.1.6.172.18.47.226.14.0.7.0

        StringValue: 4

        TimeStamp: 0

        Type: Integer32

        Value: 4

VarBind #1

        1.3.6.1.4.1.2603.10.2.1.1.7.172.18.47.226.14.0.7.0

        StringValue: Link INTERNAL2 is down: admin status is up and operational state is down

        TimeStamp: 0

        Type: OctetString

        Value: Link INTERNAL2 is down: admin status is up and operational state is down

VarBind #2

        1.3.6.1.4.1.2603.10.2.1.1.8.172.18.47.226.14.0.7.0

        StringValue: 1462513988000

        TimeStamp: 0

        Type: Counter64

        Value: 1462513988000

VarBind #3

        1.3.6.1.4.1.2603.10.2.1.1.9.172.18.47.226.14.0.7.0

        StringValue: 172.18.47.226.14.0.0

        TimeStamp: 0

        Type: OctetString

        Value: 172.18.47.226.14.0.0

Could anyone give me a hand with this?

Regards,

Gabriel Crespo

Labels (2)
0 Likes
6 Replies
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

Create a directory under your FlexConnector:

current/user/agent/flexagent/snmp/1.3.6.1.4.1.2603.10/

Then create your parser as the file "sdksnmp.0.snmptrap.properties" and place it in the folder you created above.

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

I haven't had much luck with this either, but for me I think the issue is in the sdksnmp.0.snmptrap.properties file.  Like Shaun Watson said you create and name a folder whatever the Enterprise OID is then place it under the current/user/agent/flexagent/snmp directory

0 Likes
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

I think the integer in the filename (sdksnmp.0.snmprtrap.properties) is supposed to have some relationship to the version of SNMPTRAP coming into the system.  For all intents and purposes you can try to treat all versions the same and either copy or symlink that file to 1,2,3 and 4.

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

any idea why this doesn't work?:

[Thu May 12 13:54:54 EDT 2016] [INFO ] Trap type [440] not configured.

[Thu May 12 13:54:54 EDT 2016] [INFO ] Unable to process trap (not configured) [

occurence #2]:

Received SNMPv2 trap

        Port : 162

        Generating Agent : host/ip

        Sending Agent : ip/1030

        Time Stamp : 68848310

        Enterprise OID : 1.3.6.1.4.1.3764.1.10.10.3

        Trap Type : 440

        Var Binds:2

VarBind #0

        1.3.6.1.4.1.3764.1.10.10.1.5.0

        StringValue: A0C0109803

        TimeStamp: 0

        Type: OctetString

        Value: A0C0109803

VarBind #1

        1.3.6.1.4.1.3764.1.10.10.3.1.2.0

        StringValue: admin

        TimeStamp: 0

        Type: OctetString

        Value: admin

properties file name: sdksnmp.440.snmptrap

# SNMP Flexconnector for OID 1.3.6.1.4.1.3764.1.10.10.  type 1 Traps

token.count=2

token[0].oid=1.3.6.1.4.1.3764.1.10.10.1.5.0

token[0].Name=VarBind0

token[0].Type=String

token[1].oid=1.3.6.1.4.1.3764.1.10.10.3.1.2.0

token[1].Name=VarBind1

token[1].Type=String

additionaldata.enabled=true

event.name=__stringConstant("Logon Success")

event.categorySignificance=__stringConstant("/Informational")

event.categoryBehavior=__stringConstant("/Authentication/Verify")

event.categoryOutcome=__stringConstant("/Success")

event.deviceCustomString1=varBind0

event.deviceCustomString2=VarBind1

event.deviceVendor=__stringConstant("IBM")

event.deviceProduct=__stringConstant("Tape Library")

0 Likes
Highlighted
Trusted Contributor.. Trusted Contributor..
Trusted Contributor..

I figured out my problem here, I have the token[0].Name and .Type with uppercase when I changed them to lowercase it began working..ahh the woes of case sensitivity.

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Hello Charles,

It will be very good if you mark your question as answered. This may help other community users with the same problem to find solution more quickly.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.