An SNMP trap demo

Now that we have the LooperNG basics down, we can start toying with some of the SNMP modules. In the following example, we will create a circular LooperNG configuration... just because we can. A circular configuration implies an output module sending events to an input module. Circular configurations can be dangerous if not properly tested, and may result in endless loops.

We are going to build a simple syslog-to-trap generator. Instead of sending the traps to a management station, we will send them back to LooperNG's snmpd_in module which logs the trap to a log file.

Note: Since snmpd_in binds to port 162, which is a privelaged port, you will need to be root to run the below example.

The configuration

# Uncomment the below line to use a rules file.
rulesfile = '/opt/local/looper/conf/rules/snmpdemo.rules'

# Set log level and location. The location can be overridden
# with the --stderr switch.
loglevel = '4'
logfile = '/opt/local/looper/log/looper.log'

# Set the listen port for the admin server (--port).
port = '5400'

# MD5 encrypted password. Use --md5 to generate a new password.
password = 'cf79217d6d9da75c6605bffb8eeabb96'

# New input module named syslog1. This module will be used to monitor
# a syslog file for new events.
input syslog_in1 {

  # Module file name as expected in $LOOPER_HOME/modules
  module = 'syslog_in'

  # Which file to monitor
  logfile = '/var/log/messages.1.bak'

  # The poll time for the file.
  sleeptime = '2'

  # tailstyle specifies where the monitoring begins. Set
  # to 0 for end-of-file. n for last n lines. Or -1 to
  # read entire file from beginning.
  #
  # Below we start reading from the last 10 lines.
  tailstyle = '10'

  # Where syslog_in debug messages go
  debugmessages = '/opt/local/looper/log/syslog_in.log'

  # syslog_in debug level
  debugmode = '4'
}

# Start an SNMP trap collector called snmpd_in1
input snmpd_in1 {
  # Module file name
  module = 'snmpd_in'

  debugmessages = '/opt/local/looper/log/snmpd_in.log'
  debugmode = '4'
}

# A new output module named logfile_out1. This module is used to
# send events to a log file. Useful debugging aid.
output logfile_out1 {
  module = 'logfile_out'

  # Name of file to send alerts to
  filename = '/opt/local/looper/log/logfile.out'

  # If set to 1 will append to existing file
  append = 0

  debugmode = '4'
  debugmessages = '/opt/local/looper/log/logfile_out.log'
}

# An SNMP trap generator.
output trapgen1 {
  module = 'snmptrap_out'

  # Where to send traps
  managementstation = '127.0.0.1'
  port = '162'
  community = 'public'
  version = '2'

  # SNMP Enterprise number to use (can be overriden in rules file)
  enterprise = '1.3.6.1.4.1.34555'

  # OID prefix.
  varbindoids = '1.3.5.1.4.1.34555.1'

  # String delimeter for varbinds
  varbinddelimeter = '::'


  debugmode = '4'
  debugmessages = '/opt/local/looper/log/trapgen1.log'
}

# A RAW trap forwarder
output trapgen2 {
  __autostart = 'no'
  module = 'snmptrap_out'

  # Where to send traps to
  managementstation = '192.168.1.111'
  port = '162'
  community = 'public'

  # Setting rawmode to 1 tells it to blindly forward
  # the trap in $OUT{rawtrap} without rewriting it. $OUT{rawtrap}
  # should be a base64 encoded SNMP trap PDU. The snmpd_in
  # module delivers this token in $IN{rawtrap}.
  rawmode = '1'

  debugmode = '4'
  debugmessages = '/opt/local/looper/log/trapgen2.log'
}

The module named trapgen2 does not serve any purpose in this example. It was put there to demonstrate a trap forwarder/exploder configuration. When snmpd_in sends an event, it encodes the raw trap PDU in a token called $IN{rawtrap}. If a snmptrap_out module runs with rawtrap set to 1, it uses $OUT{rawtrap} to forward the same trap to another destination.

The rules

%OUT = ();

if ( $IN{__module} eq 'snmpd_in1' )
{
  LOG (4, "Got trap. Logging all tokens to file...");

  %OUT = %IN;

  SEND ('logfile_out1');
}


elsif ( $IN{__module} eq 'syslog_in1' )
{
  LOG (4, "Got Syslog message. Forwarding as trap...");

  $OUT{generictrap} = 6;

  $OUT{specifictrap} = 1000;

  # Varbinds separated by '::' ...

  $OUT{varbinds} = "$IN{node} :: $IN{desc}";

  SEND ('trapgen1');
}

Start LooperNG

./looperng -c conf/snmpdemo.conf --stderr --loglevel4

The output

[root@grok log]# cd /opt/local/looper/log
[root@grok log]# cat logfile.out
---SNIP---
Event at [Sun Sep 14 11:20:29 2003]
__module = snmpd_in1
varbindOID1 = 1.3.5.1.4.1.34555.1.6.10001
enterprise = 1.3.6.1.4.1.34555
varbindOID0 = 1.3.5.1.4.1.34555.1.6.10000
__runpath = /opt/local/looper/modules/snmpd_in
agentaddr = 192.168.0.51
rawtrap = MIGXAgEABAZwdWJsaWOkgYkGCCsGAQQBgo17QATAqAAzAgEGAgID6EMBZDBtMBoGDCsFAQQBgo17?AQbOEAQKbG9jYWxob3N0IDBPBgwrBQEEAYKNewEGzhEEPyBzdShwYW1fdW5peClbMjUxMTVdOiBz?ZXNzaW9uIG9wZW5lZCBmb3IgdXNlciByb290IGJ5ICh1aWQ9NTAwKQ==?
varBindTotal = 2
__taskid = 4
varbindTag1 = 4
generic-trap = 6
community = public
varbindTag0 = 4
__taskpid = 6374
varbind1 = su(pam_unix)[25115]: session opened for user root by (uid=500)
varbind0 = localhost
specific-trap = 1000
Event at [Sun Sep 14 11:20:29 2003]
__module = snmpd_in1
varbindOID1 = 1.3.5.1.4.1.34555.1.6.10001
enterprise = 1.3.6.1.4.1.34555
varbindOID0 = 1.3.5.1.4.1.34555.1.6.10000
__runpath = /opt/local/looper/modules/snmpd_in
agentaddr = 192.168.0.51
rawtrap = MG8CAQAEBnB1YmxpY6RiBggrBgEEAYKNe0AEwKgAMwIBBgICA+hDAWQwRjAaBgwrBQEEAYKNewEG?zhAECmxvY2FsaG9zdCAwKAYMKwUBBAGCjXsBBs4RBBggc3lzbG9nZCAxLjQuMTogcmVzdGFydC4=?
varBindTotal = 2
__taskid = 4
varbindTag1 = 4
generic-trap = 6
community = public
varbindTag0 = 4
__taskpid = 6374
varbind1 = syslogd 1.4.1: restart.
varbind0 = localhost
specific-trap = 1000
---SNIP---
[root@grok log]#

The output above is a good example of all the tokens generated by the snmpd_in module. As you can see the SNMP variable bindings are stored in varbind0 and varbind1. They consist of the syslog hostname and description. The agent address has been masqueraded as another host. The rawtrap token is a Base64 encoded SNMP trap PDU.

---

Back to LooperNG Tutorial