SNMPTRAPS

 I spent a lot of time getting this working, SNMPTRAPS are hard work.

There are plenty of guides on installing and configuring SNMPTRAPS, however I seem to have run into several pit falls so thought I would put them here in case it helps someone. 

It’s more of a list of things to check..

I installed Ubuntu snmpd version: 5.4.3~dfsg-2.5ubuntu1

Commands that help to test things are working.

To display the path being searched for MIBS, this is created via the export option.

Sudo net-snmp-config --default-mibdirs

Test OID translation is working? If it is you will get sysUptime.0 as output.

Sudo snmptranslate .1.3.6.1.2.1.1.3.0

SNMPv2-MIB::sysUpTime.0

Does the reverse translation work? 

Sudo snmptranslate –On SNMPv2-MIB::sysUpTime.0

.1.3.6.1.2.1.1.3.0

Do you have any MIBS?

MIBS do not come with the install! There is another package that will fetch the MIBs for you. This is because of copyright issues apparently.

Search for anything with MIB in its name.

sudo find * / |grep MIB

Else install snmp-mibs-downloader (I installed version 1.1)

sudo aptitude install snmp-mibs-downloader

Then download the MIBS

download-mibs

I found I still had missing MIBs so had to Google for them and download them. Ensure if you do this that the file name does not have an extension .txt or whatever, else it will be ignored. Also check the first line of the MIB to confirm it is indeed a MIB..

sudo head nameofmib

It should have something like DEFINITIONS ::= BEGIN as its first line.

Now because I spent a lot of time and made many config changes install / reinstall to get it working I gave up trying to get multiple mibdirs working. I decided instead to move all mibs to the first search location /root/.snmp/mibs.

Config files and starting and stopping the service.

Snmptrapd is started and stopped by snmpd,

Service snmpd start / Service snmpd stop

There are two config files you will also need to visit, this is the contents of mine.

cat /etc/snmp/snmptrapd.conf

# Run trap.

TRAPDRUN=yes

# Disable authorisation, it’s on by default, though if you have time you should use this!

disableAuthorization yes

# the IP address you want the trap to run on ( will use port udp 162)

snmpTrapdAddr 192.168.192.168

# Output to the following file.

logOption f /var/log/snmptrap.log

# You will not need the following line unless you are using JFFNMS (Just For Fun Network Monitoring System)

traphandle default /usr/share/jffnms/engine/trap_receiver.sh

cat /etc/default/snmpd

# Make sure this works, some guides say to use export MIBS, some export MIBDIRS, if you have

 # more than one location, you can add a second location using a : as a separator.

# export MIBS=/root/.snmp/mibs <- did not work for me!

export MIBDIRS=/root/.snmp/mibs

# SNMP Bit.

# snmpd control (yes means start daemon).

SNMPDRUN=yes

SNMPDOPTS='-LS6d -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf'

#SNMPTRAP bit

# snmpd control (yes means start daemon).

TRAPDRUN=yes

TRAPDOPTS='-Lsd -m ALL -p /var/run/snmptrapd.pid -c /etc/snmp/snmptrapd.conf 172.18.100.7'

# Note the –m ALL load all MIBS, if your location export works.

# See MAN page for a full list of options:   

#             http://manpages.ubuntu.com/manpages/dapper/man8/snmptrapd.8.html

# create symlink on Debian legacy location to official RFC path

SNMPDCOMPAT=yes

When things don't work. 

I used nmap to confirm the trap ports were open (or not) you could of course send a trap from another device which is the point of this exercise.

nmap -sU -p 161,162 192.168.192.186

To confirm you are being sent a trap, you can use tcpdump to look for the incoming packets. 

tcpdump -i eth2 dst port 162

Or watch the log live

tail -f /var/log/snmptrap.log

You can search for the process, this is useful because you can also see the commands its running.

ps -aux |grep snmp

You can also stop the process using kill -9 (process id)

To run the trap from the cli and output to /var/log/snmptrap.log

snmptrapd -m +ALL -Lf /var/log/snmptrap.log --disableAuthorization=yes

I had a problem in that running the command from the cli meant that the OID was translated, but running it as a process meant the OID was not translated. This was fixed by changing the "export" option in /etc/default/snmpd but took me sometime to work out that was the problem. 

Happy trapping.