Professional Documents
Culture Documents
MN-TRAPUGD-006
November 2004
Important Notice
Concord Communications, Inc., eHealth, eHealth Suite, the Concord Logo, eROI, AdvantEDGE, SystemEDGE, Live Health, Network Health, Live Status,
System Health, Application Health, Automating Technology Management, Constellation, Enterprise, Enterprise Monitor, Firstsense, FirstSense and
design, FirstSense Enterprise, Pulse, Pulsecheck, Token/Net, Token/Scope, We See It Happening, Fault Manager, Empire, Empire Technologies and/or
other Concord marks or products referenced herein are either registered trademarks or trademarks of Concord Communications, Inc. Other trademarks
are the property of their respective owners.
SMIC. Copyright 1992 SynOptics Communications, Inc. All Rights Reserved. SynOptics makes no representations about the suitability of this software
for any particular purpose. The software is supplied “as is”, and SynOptics makes no warranty, either express or implied, as to the use, operation,
condition, or performance of the software. SynOptics retains all title and ownership in the software.
eHealth incorporates compression code by the Info-ZIP group. There are no extra charges or costs due to the use of this code, and the original
compression sources are freely available from ftp://ftp.cdrom.com/pub/infozip/ on the Internet and from the Concord Communications Web site:
http://www.concord.com.
© Copyright Bigelow and Holmes 1986, 1985. Lucida is a registered trademark of Bigelow & Holmes. Sun Microsystems Inc., AT&T, and Bigelow &
Holmes make no representations about the suitability of the source code for any purpose. It is provided “as is” without express or implied warranty of
any kind.
General Notice: Some of the product names used herein have been used for identification purposes only and may be trademarks of their respective
companies.
Proprietary Notice
The information and descriptions contained herein are the property of Concord Communications, Inc. Such information and descriptions may not be
copied, disseminated, or distributed without the express written consent of Concord Communications, Inc. Concord Communications, Inc., assumes no
responsibility for any inaccuracies that may appear in this document. Concord Communications, Inc., reserves the right to improve its products and
change specifications at any time without notice.
Patent Information
U. S. Patent 5,615,323
Patents Pending
Preface 7
Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Revision Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 1 Introduction 11
Introducing eHealth TrapEXPLODER . . . . . . . . . . . . . . . . . . . . . . 11
Filtering Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Forwarding Traps to Other Trap Receivers . . . . . . . . . . . . . . . 14
Forwarding Traps to Element Managers . . . . . . . . . . . . . . . . . 14
Extending Fault Tolerance for Management Software . . . . . . 14
Forwarding Traps through TCP Connections . . . . . . . . . . . . . 15
TrapEXPLODER and eHealth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3
4 • Table of Contents
Index 53
Audience
This guide is intended for the person who is installing and
configuring TrapEXPLODER. To use TrapEXPLODER, you should
have a basic understanding of the Simple Network Management
Protocol (SNMP), traps, and your host’s operating system
environment.
7
8 • Preface
Revision Information
This version of the guide supports TrapEXPLODER Release 1.5
Patch level 1 or later. Since the last release, Chapter 4 has been
eliminated, and its content has been combined with Chapter 2.
Documentation Conventions
Table 1 lists the conventions used in this document.
Convention Description
Convention Description
Technical Support
If you have a Support Contract ID and password, you can
access our Support Express knowledgebase at the following
URL: http://search.support.concord.com.
If you have a software maintenance contract, you can obtain
assistance with eHealth. Have your Support Contract ID
available and contact Technical Support at the following:
Phone: (888) 832-4340
(508) 303-4300
E-mail: support@concord.com
Web site: http://www.concord.com
Professional Services
If you need any assistance with customizing this product,
contact Professional Services at the following:
Phone: (800) 851-8725
Fax: (508) 486-4555
E-mail: proserv@concord.com
Web site: http://www.concord.com
Introduction
11
12 • Chapter 1 Introduction
Filtering Traps
You can edit the TrapEXPLODER configuration file to filter
traps based on the following criteria:
• Date and time that the trap was received by
TrapEXPLODER
• IP address of the system from which the trap was received
• IP address of the agent that originated the trap
• Trap type (such as Cold Start, Link Down, Link Up,
Enterprise, and so on)
Trap
PDU
IP UDP
Date/Time Header Header Enterprise * Agent Generic Specific Agent Variable
Stamp* Address* Trap Trap Uptime Bindings
Type* Type*
NOTE
The IP header contains 14 fields, with information such as
source address, destination address, type of service, total
length, and so on. The UDP header contains four fields:
source port, destination port, length, and checksum. For
more information about these headers, refer to a general
networking reference guide.
The port number applies to both the UDP and TCP ports to
use. TrapEXPLODER does not support reception of traps on
different UDP and TCP ports.
NOTE
If you have installed and licensed Fault Manager, the
Events icon in AdvantEDGE View is disabled.
19
20 • Chapter 2 Installing & Licensing eHealth TrapEXPLODER
To install TrapEXPLODER:
pkgadd -d ./trapx.pkg
cd /opt/trapx
NOTE
NOTE
You must be logged in as root to start the software, and
you must specify the -v argument. TrapEXPLODER
displays an alphanumeric string (the public key for
licensing) and a message indicating that you need a
license.
To install TrapEXPLODER:
cd c:\trapx
setup -i
setup -l
NOTE
NOTE
You must be logged in as an administrator, and you
must specify the -l argument. TrapEXPLODER displays
an alphanumeric string (the public key for licensing)
and a message indicating that you need a license.
To remove TrapEXPLODER: 2
1. Open a command prompt window and change to the
c:?WUDS[directory (where c: is the directory in which you
originally installed the TrapEXPLODER software).
2. Enter the following:
setup -r
To install TrapEXPLODER:
mv trapx.tar /usr/local/trapx
NOTE
NOTE
You must be logged in as root to start the software.
TrapEXPLODER displays an alphanumeric string (the
public key for licensing) and a message indicating that
you need a license.
To install TrapEXPLODER:
cd /opt/trapx
NOTE
NOTE
You must be logged in as root to start the software. The
-v argument instructs TrapEXPLODER to display an
alphanumeric string (the public key for licensing) and a
message that indicates that you need a license.
TrapEXPLODER Files
This section describes the files that are installed with
TrapEXPLODER. For more information about these files, refer
to the UHDGPHW[W file that was installed in theRSWWUDS[RU
F?WUDS[directory.
Option Description
-v Places TrapEXPLODER in verbose mode. This mode causes the program to print
various debugging statements as it receives and filters trap messages. By default,
verbose output is not enabled.
CAUTION
Be careful to avoid trap loops when you are configuring
TrapEXPLODER. That is, make sure that you configure
TrapEXPLODER to forward trap messages to other
management applications—not to itself.
29
30 • Chapter 3 Configuring eHealth TrapEXPLODER
reuse_address
# translate_v2c_traps
#
# This command globally enables v2c -> v1 trap translation, following
# section 3 of RFC2576. Note that v2c traps that contain Counter64
# varbinds can not be translated. See RFC2576 and the TrapEXPLODER
# documentation for details.
#
# translate_v2c_traps
# so_rcvbuf <buffer-size-in-bytes>
#
# This command sets the size of the socket receive buffer. This applies
# to both the UDP and TCP listening sockets. The default is 128000
# bytes.
#
so_rcvbuf 128000
# listen_for_udp_traps <on|off>
#
# This command enables TrapEXPLODER to listen for traps on the UDP SNMP
# Trap port. Comment this out to close the UDP SNMP Trap port. Note
# that if the UDP and TCP SNMP Trap ports are both closed, TrapEXPLODER
# will not be able to receive any traps. The default is ’on’.
#
listen_for_udp_traps on
# listen_for_tcp_traps <on|off>
#
# This command enables TrapEXPLODER to listen for traps on the TCP SNMP
1
# Trap port. Set this to ’false’ to close the TCP SNMP Trap port. Note
# that if the UDP and TCP SNMP Trap ports are both closed, TrapEXPLODER
# will not be able to receive any traps. The default is ’off’.
#
listen_for_tcp_traps off
3
# tcp_receive_timeout <timeout-in-seconds>
#
# This command defines the timeout for recv() operations on the TCP
# listen socket, in seconds. Essentially, this keeps TrapEXPLODER from
# being indefinitely blocked by a rogue TCP connection. A value of 0
# disables the timeout, allowing TCP recv() operations to block
# indefinitely. This option only has an effect if listen_for_tcp_traps
# is set to ’on’. The default is 5 seconds.
#
tcp_receive_timeout 5
# trap receiver. This action is deprecated with eHealth 5.5 and higher.
#
#
filter * * * * * * eh 1.2.3.4:666 666 30
1
# ’blind’ action:
# This action blindly forwards traps without trying to decode them
# first. This is useful if you want to blindly forward traps with an
# unsupported protocol version, or malformed traps. However, since the
# traps are not decoded, only the SrcIp filter option is used.
# filter * * * * * * blind 1.2.3.4:162 3
#
# ’nat’ action:
# This action translates the agent-addr field in the trap to another IP
# address. Note that this action only does the address conversion. No
# forwarding is implied by this action. Therefore, place this rule
# before any forwarding rules that the nat action should effect.
# Format:
# nat new-agent-addr
# filter * * * * * * nat 1.2.3.4
#
# ’file’ action:
# This action logs the trap to a file in a human-readable format. The
# log-file option is the name of the file to log the trap to.
# max-file-size specifies the maximum size that the file can grow to, in
# kilobytes. When the <log-file> exceeds this size, it is renamed to
# <log-file>.bak, and a new <log-file> is created. If <log-file>.bak
# already exists when the switchover occurs, it is overwritten. If
# max-file-size is unspecified or set to 0, then the log file will grow
# indefinitely.
# Format:
# file log-file [max-file-size]
# filter * * * * * * file /tmp/traps.log 256
# filter * * * * * * file c:\temp\traps.log
#
# ’exec’ action:
# This action executes a program or script. The path to the script
# should be an absolute path, and the entire path and arguments must be
# enclosed in single quotes.
# Format:
# exec ’/path/to/script [arg1 [arg2...]]’
# filter * * * * * * exec ’/tmp/trapScript.pl 0 123 4321’
# filter * * * * * * exec ’c:\temp\trapScript.pl 0 123 4321’
#
# ’break’ action:
# This action causes no action to be taken for a given trap.
# Additionally, no further filter processing will be done for the trap.
# Any options to this action are ignored.
# Format:
# break
# filter * * * * * * break
#
# ’aview’ action:
# This action writes out traps in the aview format. This action will
# not work if TrapExploder is running on an eHealth machine with a
# FaultManager license present.
# filter * * * * * * aview /opt/aview/var/traps
# filter * * * * * * aview c:\aview\var\traps
debug
On Solaris and Windows, the default for the receive buffer size
is 8192 bytes (8 KB). For larger networks, you can set this buffer 1
to a much higher number. The maximum receive buffer for
Solaris is 256 KB. Though Windows does not publish its
maximum receive buffer size, use 256 KB as your upper limit
for both Windows and Solaris.
NOTE 3
If you have enabled debugging as described in the previous
section, “Configuring Debug Mode,” TrapEXPLODER
returns the receive buffer size. Verify that the information
TrapEXPLODER returns matches the buffer size that you
have configured and that the size is valid.
listen_for_udp_traps <on|off>
listen_for_tcp_traps <on|off>
The typical case is to set the UDP port to on and to have the
TCP port set to off. It is valid, however, to have both ports on.
Turning bothports off produces errors, however.
so_rcvbuf 262144
reuse_address
translate_v2c_traps
Configuring Filters
You can set filters in the WUDSH[SORGHUFI configuration file.
Filter expressions for TrapEXPLODER use the following
format:
filter DateTime SrcIP Agent TrapType SpecificType Enterprise Action [Option]
• Source IP address
• Agent IP address
• Trap type
• Specific type
• Enterprise Object Identifier (OID)
• Action
Enter one filter per line in the configuration file. For examples,
refer to “Sample trapexploder.cf File” on page 30 and “Filtering
Examples” on page 43.
NOTE
These filter fields are not backward-compatible with 1
versions of TrapEXPLODER earlier than 1.3. They are valid
only for TrapEXPLODER 1.3 and later.
DateTime A regular expression indicating the date and time that the trap was received by
TrapEXPLODER. For example, Fri May 11 09:23:34 EDT 2001.
NOTE: This value does not necessarily indicate the time that the trap was sent by the
device.
Field Description
Enterprise An OID-based regular expression that TrapEXPLODER compares to the Trap PDU’s
enterprise field. For an example of the SNMP Trap PDU format, refer to Figure 4 on
page 37.
NOTE: Be sure to add a backslash character (\) before any period (.) components
that appear within the OID. The period (.) is a special character in regular
expression syntax.
Field Description 1
Action A keyword that indicates the action that TrapEXPLODER will perform:
• file – Log the Trap PDU to a file that is specified by the Option field.
TrapEXPLODER will create the file if it does not exist.
• forward – Forward the Trap PDU through UDP to a host that is specified by the
Option field. Use this option if the trap receiver does not support TCP or if the
3
TCP connection is broken.
• exec – Execute the program or script that is specified by the Option field with the
Trap PDU as input.
• break – Perform no further processing on the current Trap PDU, and do not
evaluate any remaining filters for the current Trap PDU.
• eh – Forward traps to the specified eHealth system specified by the Option field.
(Valid for eHealth Releases 5.0 and 5.5 only.)
• nat – Change the agent IP address that is contained in the SNMP Trap PDU to
the IP address that is specified in the Option field. This action changes only the
agent IP address.
• tcp – Forward traps through a TCP connection without buffering the traps. This
action drops the traps if TrapEXPLODER cannot connect to the remote trap
receiver.
• tcpbuff – Forward traps through a TCP connection. This action saves traps until
TrapEXPLODER is able to connect to the remote trap receiver (or until the
timeout limit is reached).
NOTE: If you are using the tcp or tcpbuff actions and you receive the error
message, “trapexploder: tcp forw detected a broken socket to
<IP>:[port],” the TCP connection is broken or invalid. Use the forward
action (which forwards traps through UDP) instead.
• aview – Write traps (one per file) in the format required by AdvantEDGE View.
• blind – Forward traps without parsing or decoding them first. This feature is
useful for forwarding malformed traps or unsupported SNMP versions (such as
SNMPv3). It enables filtering only on the source IP address.
NOTE: These values are case-sensitive.
Field Description
Option An optional, case-sensitive field that works with the Action field as follows:
• If Action is set to file, set Option to a valid file name to which TrapEXPLODER
can log the Trap PDU. To set the maximum size for the log file, use the
max-file-size argument to the log-file option.
• If action is set to forward, set Option to a valid IP address and (optionally) port
number.
• If Action is set to host, set Option to a valid host to which TrapEXPLODER can
forward the trap. A host can be an IP address or valid hostname. A host can also
specify a UDP port to which to send the trap if you want to use a port other than
the default, 162. You specify ports by appending a colon and the port number to
the name or IP address.
• If Action is set to break, TrapEXPLODER performs no further processing on the
Trap PDU and evaluates no further filters for that trap.
• If Action is set to eh, set Option to a valid IP address for an eHealth system. You
specify ports by appending a colon and the port number to the name or IP
address. (This action is valid for eHealth Releases 5.0 and 5.5 only.)
• If Action is set to exec, set Option to a valid file name of an executable script or
binary that can process the Trap PDU. The script is executed synchronously by
TrapEXPLODER because it is single-threaded.
• If Action is set to nat, set Option to the IP address with which you want to replace
the agent IP address that was sent in the SNMP Trap PDU.
• If Action is set to tcp, set Option to the IP address (or hostname) and port for the
trap receiver, and the timeout value for the TCP connection as follows:
host:port timeout
• If Action is set to tcpbuff, set Option to the IP address (or hostname) and port
for the trap receiver, the buffer size (in KB), and the timeout value for the TCP
connection as follows:
host:port bufferSize timeout
NOTE: The timeout value indicates how long TrapEXPLODER will keep traps in the
buffer. Adjust your buffer size and timeout values to match your
environment. For example, if you have a high volume of traps, set a large
buffer size; if your link typically goes down for several minutes, set a large
timeout value.
• If Action is set to aview, set Option to the AdvantEDGE View traps directory.
• If Action is set to blind, set Option to the hostname or IP address and optionally
the port for the trap receiver.
eHealth TrapEXPLODER User Guide
Filtering Examples • 43
Filtering Examples
This section includes sample filters that you can add to the 1
TrapEXPLODER configuration file, WUDSH[SORGHUFI. You can
use these examples to help design filters that are suitable for
your environment.
In these example, asterisks (*) indicate placeholders for fields
for which you do not want to filter on a specific value. 3
Matching Trap PDUs from a Local Host
To match all Trap PDUs from the local host, and to effectively
drop and suspend filter processing for them, enter the
following:
NOTE
A backslash character (\) appears before each period
character (.) to ensure that the period character is read
correctly as part of the enterprise ID and not as a regular
expression wildcard operation.
NOTE
You must specify the full pathname to the script.
NOTE
The ehealth variable represents the eHealth home
directory. If you are using the standalone version of
AdvantEDGE View, the AdvantEDGE View traps directory
is RSWDYLHZYDUWUDSV.
The same error appears if the trap receiver does not support
TCP. If the trap receiver does not support TCP but does
support UDP, you can use the forward action, as described in
the next section.
NOTE
If you are not using input from a file, you must provide the
end-of-file character for each sendtrap command. Use ^Z
for Windows systems or ^d for UNIX systems.
Field Description
host Specifies the host to which sendtrap should send the resulting Trap PDU. This
parameter can be either a domain name or IP address.
TrapType Specifies the integer to use in the generic trap type field in the Trap PDU. Defined in
RFC 1157, this field can accept one of the following values:
• coldStart(0)
• warmStart(1)
• linkDown(2)
• linkUp(3)
• authenticationFailure(4)
• egpNeighborloss(5)
• enterpriseSpecific(6)
Values less than 0 cause sendtrap to print an error message and exit. Values larger
than 6 cause sendtrap to issue a warning message only.
SpecificType Specifies the integer to use in the enterprise-specific trap type field in the Trap PDU.
SpecificType values less than 0 cause sendtrap to print an error message and exit.
NOTE
The sendtrap utility reports 0 for the Trap PDU’s
time-stamp field because it cannot know the real value. Due
to internal limits, sendtrap can send a maximum of 32
variable bindings in a single Trap PDU. You must be able to
represent object values as an ASCII character string to
Sendtrap Examples
This section includes sample filters that you can add to the
VHQGWUDSFIfile, if desired. Add these filters to your
TrapEXPLODER configuration file (WUDSH[SORGHUFI) to
perform the actions that they describe.
sendtrap 127.0.0.1 3 0
1.3.6.1.2.1.2.2.1.1.1 integer 1
^Z
NOTE
For a UNIX system, use the ^d end-of-file character instead
of ^Z.
NOTE
This command is invoked within the UNIX shell ELQVK, 1
and input/output redirection is specific to each shell. For
information about redirecting variable bindings with other
shells, consult the man pages for those shells.
A E
aview action, configuring 41 eh action, configuring 41
eHealth 16
B email.exe file
blind action, configuring 41 UNIX systems 26
blind trap forwarding 46 Windows systems 27
break action, configuring 41 error codes 47
examples
C filtering 43
callsend.c file 27 sendtrap 50
call-sendtrap.c file 26 exec action, configuring 41
configuration file extending fault tolerance 14
editing 29
specifying 28 F
configuring features 12
actions 41 file action, configuring 41
address reuse 36 files installed
debug mode 34 UNIX systems 26
receive buffer 34 Windows systems 27
sendtrap 47 filtering
startup options 28 actions 41
translation of trap version 36 examples 43
TrapEXPLODER 29 fields 38
xtrapmon 51 formatting filters 37
options 42
traps 12
53
54 • Index
loops 29
message fields 13
pre-server 16
SNMP format 37
translating v2c to v1 36
trapexploder
file 26
trapexploder.cf file
editing 29
example 30
UNIX directory 26
Windows directory 27
trapexploder.exe file 27
trapexploder.lic file
UNIX 26
Windows 27
trapexploder.pdf file
UNIX 26
Windows 27
trapScript.pl file
UNIX 26
Windows 27
trapScript.sh file
UNIX 26
Windows 27
U
UDP forwarding of traps 46
V
variable bindings 49
X
xtrapmon utility 26, 51
xtrapmon.exe file 27
JAPAN 813-5778-7629
SINGAPORE: 65-4309533
CONCORD.COM