Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:documentation:03_monitoring:08_snmp_traps_monitoring [2021/07/18 01:22]
jimmy.olano He subido una nueva captura de pantalla.
en:documentation:03_monitoring:08_snmp_traps_monitoring [2021/08/11 20:59]
jimmy.olano [TRAP-Storm Protection]
Line 131: Line 131:
 === Introduction === === Introduction ===
  
-Pandora FMS also has an alert system for received SNMP traps. They are mainly based on filtering rules, searching for matches in all possible fields according to rules that are set up to trigger the alert. Before reading on, bear in mind you can find out more about Pandora FMS alerts (([[:en:documentation:04_using:01_alerts|]]))+Pandora FMS also has an alert system for received SNMP traps. They are mainly based on filtering rules, searching for matches in all possible fields according to rules that are set up to trigger the alert. Before reading on, bear in mind you can find out more about [[:en:documentation:04_using:01_alerts|Pandora FMS alerts]]
 + 
 +{{  :wiki:pfms-alerts-snmp_alerts-alert_overview.png  }} 
  
 === Adding an alert === === Adding an alert ===
Line 141: Line 144:
 **Enterprise String** **Enterprise String**
  
-The main OID of the trap. It will look for the presence of the string. For example, if you are looking for a piece of the OID, you may use ''1.21.34.2.3''  and every OID that contains that one will be filtered, as if it were ''*1.21.34.2.3*''  But there is NO need to use the * character.+The main OID of the trap. It will look for the presence of the string. For example, if you are looking for a piece of the OID, you may use ''1.21.34.2.3'' and every OID that contains that one will be filtered, as if it were ''*1.21.34.2.3*'' But there is NO need to use the * character.
  
 **Custom Value/OID** **Custom Value/OID**
  
-This element will search within the trap's **value**, **custom OID**, **custom value**  and in the rest of the TRAP fields. Regular expressions are supported here. For example, if you have a trap that sends the "Testing TRAP 225" string, you can search for any trap with the subchain "Testing TRAP" through the regular expression "Testing. *TRAP.*"+This element will search within the trap's **value**, **custom OID**, **custom value** and in the rest of the TRAP fields. Regular expressions are supported here. For example, if you have a trap that sends the "Testing TRAP 225" string, you can search for any trap with the subchain "Testing TRAP" through the regular expression "Testing. *TRAP.*"
  
 **SNMP Agent** **SNMP Agent**
Line 153: Line 156:
 **Trap type** **Trap type**
  
-The filter by trap type. Most of the generated traps are usually **Other**  type. If nothing is specified, it will look for any type of trap.+The filter by trap type. Most of the generated traps are usually **Other** type. If nothing is specified, it will look for any type of trap.
  
 {{  :wiki:trap_type.png?360  }} {{  :wiki:trap_type.png?360  }}
Line 163: Line 166:
 **Variable bindings/Data #1-20'** **Variable bindings/Data #1-20'**
  
-These are regular expressions which try to match the binding variables from 1 to 20. If there is a match, the alert is triggered. The value of the variable is stored in the corresponding ''_snmp_fx_''  macro (e.g. ''_snmp_f1_'', ''_snmp_f2_'', etc.). Although only twenty binding variables are able to search for matches, the ''_snmp_fx_''  macros are set for all of them (''_snmp_f11_'', ''_snmp_f12_'', etc.).+These are regular expressions which try to match the binding variables from 1 to 20. If there is a match, the alert is triggered. The value of the variable is stored in the corresponding ''_snmp_fx_'' macro (e.g. ''_snmp_f1_'', ''_snmp_f2_'', etc.). Although only twenty binding variables are able to search for matches, the ''_snmp_fx_'' macros are set for all of them (''_snmp_f11_'', ''_snmp_f12_'', etc.).
  
 {{  :wiki:alertsnmp2.png?600  }} {{  :wiki:alertsnmp2.png?600  }}
Line 169: Line 172:
 **Field 1** **Field 1**
  
-Field to set the ''Field 1''  alarm command parameter. This is the field that will be used in case of choosing to generate an event, or the destination mail in case of choosing an ''eMail''  action (if you wish to overwrite the default email in the action). To fully understand how custom fields work in actions/alerts templates, read the documentation chapter that explains the alerts in Pandora FMS [[http://wiki.pandorafms.com/index.php?title = en:documentation:start:Alerts|here]].+Field to set the ''Field 1'' alarm command parameter. This is the field that will be used in case of choosing to generate an event, or the destination mail in case of choosing an ''eMail'' action (if you wish to overwrite the default email in the action). To fully understand how custom fields work in actions/alerts templates, read the documentation chapter that explains the alerts in Pandora FMS [[http://wiki.pandorafms.com/index.php?title = en:documentation:start:Alerts|here]].
  
 **Field 2** **Field 2**
-<code> 
  
-Field to set the command parameter of the ''Field 2'' alarm. In case of sending an email, it will be the subject of the message. If left blank, it would use what it had defined in the action. + Field to set the command parameter of the ''Field 2'' alarm. In case of sending an email, it will be the subject of the message. If left blank, it would use what it had defined in the action.
- +
-</code>+
  
 **Field 3** **Field 3**
  
-<code> + Field to set the command parameter of the ''Field 3'' alarm. In case of sending an email, it would be the text of the message. If left blank, it would use what it had defined in the action.
-Field to set the command parameter of the ''Field 3'' alarm. In case of sending an email, it would be the text of the message. If left blank, it would use what it had defined in the action. +
- +
-</code>+
  
 **Min. Number of Alerts** **Min. Number of Alerts**
Line 199: Line 196:
 **Priority** **Priority**
  
-Combo where the alarm priority is set. The priorities of the alerts are different and have nothing to do with the priority of the traps, nor with the Pandora FMS events.+Combo where the alarm priority is set. 
 + 
 +{{  :wiki:pfms-alerts-snmp_alerts-snmp_console_create_alert-priority.png  }} 
 + 
 +<WRAP center round info 60%>\\ 
 +The priorities of the alerts are different and have nothing to do with the priority of the traps, nor with the Pandora FMS events.\\ 
 +</WRAP>
  
 **Alert Action** **Alert Action**
Line 208: Line 211:
  
 The alerts with a lower position are evaluated first. If several alerts with the same position match a trap, all alerts matching the same position will be triggered. Although lower position alerts may match the trap, they will not be triggered. The alerts with a lower position are evaluated first. If several alerts with the same position match a trap, all alerts matching the same position will be triggered. Although lower position alerts may match the trap, they will not be triggered.
 +
  
 === Alert Field Macros === === Alert Field Macros ===
Line 245: Line 249:
 === TRAP-Storm Protection === === TRAP-Storm Protection ===
  
-There are a couple of parameters in the server which are conceived to protect the system against the arrival of a Trap Storm, coming from a single location. Use the following settings in the ''pandora_server.conf''  file for this:+There are a couple of parameters in the server which are conceived to protect the system against the arrival of a Trap Storm, coming from a single location. Use the following settings in the ''pandora_server.conf'' file for this:
  
-  * ''snmp_storm_protection''The max. number of processed SNMP traps by the same source IP in a given interval (see below). +   * ''snmp_storm_protection'' The max. number of processed SNMP traps by the same source IP in a given interval (see below). 
-  * ''snmp_storm_timeout''The interval in seconds for protection against an SNMP Trap Storm. During this interval, the system will only process 'snmp_storm_protection' type traps from the same source (IP). +  * ''snmp_storm_timeout'' The interval in seconds for protection against an SNMP Trap Storm. During this interval, the system will only process 'snmp_storm_protection' type traps from the same source (IP). 
-  * ''snmp_storm_silence_period''If it is greater than 0 each time the storm protection is triggered for a particular source, the current time will be added plus the silence time. Until this time passes, no new traps will be registered for the specific source.+  * ''snmp_storm_silence_period'' If it is greater than 0 each time the storm protection is triggered for a particular source, the current time will be added plus the silence time. Until this time passes, no new traps will be registered for the specific source.
 When this protection fires, it is reflected in an event on the console: When this protection fires, it is reflected in an event on the console:
  
Line 255: Line 259:
  
 Trap storm protection combined with trap filtering (see below) allows that if you receive hundreds of thousands of traps per day, you work with only a few thousand traps to delete redundant or unhelpful traps. Trap storm protection combined with trap filtering (see below) allows that if you receive hundreds of thousands of traps per day, you work with only a few thousand traps to delete redundant or unhelpful traps.
 +
  
 === TRAP Filtering in the Server === === TRAP Filtering in the Server ===
ºº