If an SNMP trap comes in and is classified as an "/Unknown" event type, this is because Zenoss does not know what you want to do with this event.
To map this event, from the Event Console, click the checkbox next to the unknown event, and from the page menu, select Map Events to Class.
The Event Mapping dialog appears. Each category does different things to the event: changing its severity, moving it to the history table, etc. For now, select "/App" and press the Map button.
To edit this mapping, from the left navigation, select Events and then click the Mappings tab. Search for and find your Event map and then click the name of the map. Now click the Edit tab.
This will take you to the edit screen for an Event "Mapper". These are the rules used to map this event to the "/App" category. This rule, since it matches the Trap by a very specific OID, is all you need.
In the "transform" section of the mapper, you can put some code to modify the summary. For example, lets say you want to set the summary string to "spam Filter Detects Virus". You would put this in the transform edit area:
evt.summary = "spam Filter Detects Virus"
A trap has a header with some standard (and mostly useless) information. But then it has a sequence of attribute/values You can see these values as event details if you click on the last column of the event.
You have indicated you want the value for the OID ".1.3.6.1.4.1.9789.1500.2.5" as the summary. If you had the MIB loaded, you could do this:
evt.summary = evt.spamFilterDetectsVirus
But... we have the OID and the data is still in there. We just need to use the slightly more cryptic:
evt.summary = getattr(evt, ".1.3.6.1.4.9789.1500.2.5", "Unexpected missing OID")
The "device" object for the event has been made available, too:
evt.summary = getattr(evt, ".1.3.6.1.4.9789.1500.2.5", "Unexpected missing OID") + " from device " + device.getId()
Zenoss uses MIBs to translate SNMP Traps that contain raw OID values Loading a MIB into Zenoss allows it to translate numeric OIDs like .1.3.6.1.2.1.1.6 into descriptive phrases like “sysLocation”. It also makes it easier to manipulate the events in an event mapping.
The following is a small demonstration MIB.
NOTIFICATION-TEST-MIB DEFINITIONS ::= BEGIN
IMPORTS
ucdavis FROM UCD-SNMP-MIB
NOTIFICATION-TYPE FROM SNMPv2-SMI
;
demonotifs OBJECT IDENTIFIER ::= { ucdavis 991 }
demo-notif NOTIFICATION-TYPE
OBJECTS { sysLocation }
STATUS current
DESCRIPTION "Just a test notification"
::= { demonotifs 17 }
END
And here's how we send an SNMP trap.
-
From the command line, enter the following command:
$ snmptrap -v 2c -c public localhost '' 1.3.6.1.4.1.2021.991.1.3.6.1.2.1.1.6 s "Device in Annapolis"
-
Save this demonstration MIB into a file.
-
Send the trap.
-
Open the Event Console and find the trap you just sent.
-
In the far right column of the event console, click the magnifying glass in the far right column for the event you just sent.
-
Click the Details tab.
You should see:
.1.3.6.1.2.1.1.6 Device in Annapolis
-
Send this event to the history.
You are now going to load some MIBs into Zenoss so we can get this OID translated into a more understandable format.
-
Copy your demonstration MIB into $ZENHOME/share/mibs/site.
-
Run zenmib to load it into Zenoss:
$ zenmib run -v 10 DEBUG:zen.zenmib:TRAP-TEST-MIB.mib INFO:zen.zenmib:Unable to find a file providing the MIB UCD-SNMP- MIB ...
-
Your MIB loaded, but it's missing some other definitions. They happen to be on the system somewhere else, so you can copy them in:
$ cp /usr/share/snmp/mibs/SNMPv2-MIB.txt $ZENHOME/share/mibs/site $ cp /usr/share/snmp/mibs/UCD-SNMP-MIB.txt $ZENHOME/share/mibs/site
-
Run zenmib again and get these loaded into Zenoss:
$ zenmib run -v 10
-
Send the trap a second time:
$ snmptrap -v 2c -c public localhost '' 1.3.6.1.4.1.2021.13.991 .1.3.6.1.2.1.1.6 s "Device in Annapolis"
-
Now go check the event. Make sure the count is 1. If the count is 2, send the event to the history and send the trap again. Look at the Details tab. Now you should see something like this:
sysLocation Device in Annapolis
You should also see that the event summary changes from:
snmp trap 1.3.6.1.4.1.2021.13.991 from localhost
to:
snmp trap ucdExperimental from localhost
While this is an improvement, we would like to get the “sysLocation” value “Device in Annapolis” into the summary so that users do not have to drill down into the detail screen.
To modify events as they arrive, we will create an event map through the user interface as we did earlier. Create a new Event Class.
Go to the event console and create an event mapping in this class from the existing event.
On the map go to the “Edit” tab. We can filter what events this mapping will work against. For example you could filter on messages that contain the text ucdExperimental. Type “ucdExperimental” in the Regex field.
You can update the event with detail data in the Transform section. The entry field allows you to put in arbitrary Python scripts. The event is provided as “evt” and the device as “dev”. In this case, we'll extract the sysLocation event detail and make it the summary:
evt.summary = evt.sysLocation
Save this event mapping. Move all the events to history. Resend the trap. The summary for the trap should now read the device name in the location you have assigned.
If you have any problems with the Transform, check the zentrap.log file for errors that occurred.
When an event arrives into the Zenoss system, values (such as severity) can be changed. For example, the summary can be made more informative, or the severity changed according to some text within the summary.
Each Event Class allows for a short python script to be executed when an event arrives.
For example, a user may want full-filesystem threshold events on /data to be critical. The following python script in the Threshold Transform of /Events/Perf/Filesystem:
if evt.component == '/data' and evt.severity != 0: evt.severity == 5
Like event mappings for Event Class Keys, both "evt" and "device" objects are available within the script of the transform.
Zenoss News