Skip to content

Classifying SNMP traps

By default, most SNMP traps will appear in the /Unknown event class. To map them to a more meaningful event class, you can re-classify them with an event mapping.

To classify an SNMP trap event:

  1. From the Event Console, select the unknown event or events.
  2. Click the Reclassify an event icon. The Classify Events dialog appears.

  3. Select /App, and then click Submit.

    To edit this classification:

    1. From the Navigation area, select Events > Event Classes.
    2. Ensure Mapping Instances appears.
    3. Select the event map you created.

    4. In the left panel, select Edit from the Action icon.

      The edit page appears. This page contains rules used to map the event to the /App category. This rule, since it matches the trap by a specific OID, is all that is needed.

      In the Transform area, you can enter code to modify the summary. For example, ifyou want to set the summary string to "Spam Filter Detects Virus," then you can enter:

      evt.summary = "Spam Filter Detects Virus"

      A trap has a header with some standard information, followed by a sequence of attribute/values.

      You have indicated you want the value for the OID ".1.3.6.1.4.1.9789.1500.2.5" as the summary. If you had the MIB loaded, you could do this:

      evt.summary = evt.spamFilterDetectsVirus

      However, the OID and the data is still in there. Instead, use the slightly more cryptic:

      evt.summary = getattr(evt, ".1.3.6.1.4.9789.1500.2.5", "Unexpected missing OID")

      The "device" object for the event has been made available, as well:

      evt.summary = getattr(evt, ".1.3.6.1.4.9789.1500.2.5", "Unexpected missing OID") + " from device " + device.getId()

      Resource Manager uses MIBs to translate SNMP traps that contain raw OID values. Loading a MIB into the system allows it to translate numeric OIDs such as .1.3.6.1.2.1.1.6 into descriptive phrases like "sysLocation". It also makes it easier to manipulate the events in an event mapping.

      Following is a small demonstration MIB.

      NOTIFICATION-TEST-MIB DEFINITIONS ::= BEGIN 
IMPORTS 
ucdavis FROM UCD-SNMP-MIB 
NOTIFICATION-TYPE FROM SNMPv2-SMI 
; 
demonotifs OBJECT IDENTIFIER 
::= { ucdavis 991 } 
demo-notif NOTIFICATION-TYPE 
OBJECTS { sysLocation } 
STATUS current 
DESCRIPTION "Just a test notification" 
::= { demonotifs 17 } 
END