Handling of SNMP traps (CentOS 8)

It is the 24th day of Zabbix Advent Calendar 2020.

The other day, I wrote on the community site that the settings for receiving SNMP traps will be rearranged, so I will describe it here. Please note that the information is as of the present time (December 2020), and the repositories and software that can be used may change over time.

Assumption of installation environment

This time, we will build the environment on CentOS 8. In the early release of CentOS 8, the net-snmp-perl package did not exist, so it was necessary to prepare a separate net-snmp-perl package. However, at this point (December 2020), it seems that the net-snmp-perl package is now available in the AppStream of CentOS 8.3.2011.

http://ftp.riken.go.jp/Linux/centos/8.3.2011/AppStream/x86_64/os/Packages/net-snmp-perl-5.8-17.el8.x86_64.rpm

With this, you don't have to prepare it separately.

Zabbix will use 5.0, which is the latest LTS at the moment.

Also, there were the following two methods for receiving and processing SNMP traps.

• Use snmptt
• Use zabbix_trap_receiver.pl

The former is convenient because it can replace the received trap and convert it into an easy-to-read message, but if this snmptt package is for CentOS 8, it does not exist on EPEL, so it is troublesome to prepare it separately. In the latter case, you can use it if you have the net-snmp-perl package and its dependent perl related packages installed.

This time, we will use the latter zabbix_trap_receiver.pl. Also, the SNMP version is v2 and the community name is "public".

Data flow when receiving an SNMP trap

In Zabbix, when receiving an SNMP trap, the trap is received via snmptrapd. The data flow is as follows.

Traps generated by network devices etc. are received by snmptrapd started on the server running Zabbix server, and the received traps are output to the molded log file via a script. The output file is read by a process called "snmp trapper" of Zabbix server and processed as an item value.

Decide in advance

Before building the environment, it is necessary to decide the following two.

• Where to put zabbix_trap_receiver.pl
• Log file name of trap that mediates between snmptrapd and Zabbix server

The former is a unique script that is not included in the package, so we will place it in "/usr/local/bin/zabbix_trap_receiver.pl". The latter will be a log file named "/var/log/snmptrap/snmptrap.log".

Installation procedure

Install Zabbbix

Please refer to the following link for the procedure to build Zabbix 5.0 environment using MySQL as a backend on CentOS 8.

• Install Zabbix 5.0 on CentOS 8 (MySQL)

Installation of packages required to receive SNMP traps

Install the "net-snmp", "net-snmp-utils", and "net-snmp-perl" packages required to execute "zabbix_trap_receiver.pl" that receives SNMP traps and processes molding log output.

# dnf install net-snmp net-snmp-utils net-snmp-perl

Placement and configuration of scripts for SNMP trap handling

The script "zabbix_trap_receiver.pl" for trap handling is included in the source. Get the source terbor, unzip it, and place the files in the directory you decided on earlier.

# wget https://cdn.zabbix.com/zabbix/sources/stable/5.0/zabbix-5.0.7.tar.gz
# tar zxvf zabbix-5.0.7.tar.gz
# cp -p zabbix-5.0.7/misc/snmptrap/zabbix_trap_receiver.pl /usr/local/bin/

Then set the path of the log file in the script file.

# vi /usr/local/bin/zabbix_trap_receiver.pl

The contents to be set are as follows.

#$SNMPTrapperFile = '/tmp/zabbix_traps.tmp';
$SNMPTrapperFile = '/var/log/snmptrap/snmptrap.log';

Comment out the existing settings to set the log file name you decided earlier. In addition, give execute permission and create a directory for log output.

# chmod +x /usr/local/bin/zabbix_trap_receiver.pl
# mkdir /var/log/snmptrap

snmptrapd settings

Next is the setting of snmptrapd. Edit the configuration file /etc/snmp/snmptrapd.conf.

# vi /etc/snmp/snmptrapd.conf

In SNMPv2, if the community name is "public", make the following settings in /etc/snmp/snmptrapd.conf.

authCommunity log,execute,net public
perl do "/usr/local/bin/zabbix_trap_receiver.pl";

If the community name is different or the path where zabbix_trap_receiver.pl is placed is different, please modify it according to each environment. After completing the settings, start snmptrapd.

# systemctl start snmptrapd
# systemctl enable snmptrapd

Now that you've set it up, let's throw an SNMP trap for testing to see if the script is executed. This is the case when you specify the OID of linkDown.

# snmptrap -v 2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3

You should see a log starting with the time in /var/log/snmptrap/snmptrap.log.

Zabbix server settings

Next, configure Zabbix server to read this log.

# vi /etc/zabbix/zabbix_server.conf

Insert the following settings to set.

StartSNMPTrapper=1

Zabbix server needs to be restarted for the settings to take effect, so restart it.

# systemctl restart zabbix-server

Firewall settings

With the default settings, SNMP traps cannot be received, so set the permission so that they can be received.

# firewall-cmd --add-port=162/udp --zone=public --permanent
# firewall-cmd --reload

Log rotation

Let's also set the rotation so that the log file does not remain accumulated.

# vi /etc/logrotate.d/snmptrap

For example, the following settings can be considered.

/var/log/snmptrap/snmptrap.log {
	daily
	rotate 7
	compress
	delaycompress
	missingok
	notifempty
}

Please set the rotation considering how long it will be stored.

Testing traps in Zabbix

Let's check if Zabbix server can receive SNMP traps. I find it difficult to deliberately throw a trap from a real network device, so let's use a command from a Linux server to throw a trap and see if it can be received.

It may be difficult to prepare a separate server for sending SNMP traps, so I will use the method of throwing traps locally.

Creating hosts and items

This time we will create a host for testing that can receive local traps.

The point is to prepare an SNMP interface as an interface. When registering an actual network device as a host, set the IP address, port number, SNMP version and community according to the environment. "{$ SNMP_COMMUNITY}" in the SNMP community set by default is the macro set in the global macro. By default, the value "public" is set. You can set them individually, but if you want to use the same settings on multiple hosts, you can use macros to make it easier to manage when changing all at once.

Then create an item on that host. Here, we will use an item key called "snmptrap.fallback" to receive all traps.

When setting the actual host, I think that it is necessary to branch to determine whether it is a failure for each trap that occurs, so use "snmptrap [regexp]" and use a regular expression for the regexp part of the argument. I think it's better to create an item that receives a specific trap.

I think the data type works with both "log" and "text". When "Log" is used, the time stamp included in the trap can be read, so in this example, select "Log" as the data type and log according to the date format output to the log. I tried to specify the time format of.

Send test trap to Zabbix server

Now, since we're just going to do it locally for testing, run the following command as before.

# snmptrap -v 2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3

When sending from another server, specify the IP address of the destination as an argument and execute.

# snmptrap -v 2c -c public <IP address of Zabbix server>'' .1.3.6.1.6.3.1.1.5.3

Confirmation with Zabbix web interface

The trap you received should look like this when you click on the history of the corresponding item in "Monitoring Data"-> "Latest Data".

If you don't see it, you should see the following log in Zabbix server log (/var/log/zabbix/zabbix_server.log).

  1809:20201224:184201.901 unmatched trap received from "192.168.1.50": 18:42:00 2020/12/24 PDU INFO:

This happens because the information contained in the SNMP trap received by Zabbix server does not match the information of the host registered on Zabbix. In this case, the host with the SNMP interface with the IP address 192.168.1.50 was not registered.

If such a log is output, please review the host and item settings.

If you want to use your own MIB

Since the MIB information initially registered on CentOS is limited, you may want to add a vendor-specific MIB. In that case, for example, create a directory called "/ usr/share/snmp/vender_mibs", put a vendor-specific MIB file under it, create a file called /etc/snmp/snmp.conf, and put it in it. Try setting it to read the MIB information for that directory as well.

Setting Example:

mibdirs /usr/share/snmp/mibs:/usr/share/snmp/vender_mibs
mibs all

Finally

Depending on the application, it may be better to use snmptt, but I introduced it as a method to receive SNMP traps on CentOS 8 and monitor with Zabbix without much trouble.

It may become obsolete over time, but please refer to it as information at this time (December 2020).

If you have any questions, please use the forum on the Community Site.