Solved: SNMP Traps Regarding ISE Processes, What Names and States?

dmindel · ‎02-27-2020

A major MSP is looking to provide management for ISE. Part of that is monitoring the health of the appliance and the ISE services. Would you advise on the following?

Are the processes to set up traps for

app-server, rsyslog, redis-server, ad-connector, mnt-collector, mnt-processor, ca-server est-server, and elasticsearch

These are listed here: www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_admin_guide_27/b_ise_admin_guide_27_chapter_011000.html#id_17078

If that is correct, then what states do we trap on? The above link has:

Cisco ISE sends traps for the following statuses to the configured SNMP server:

Process Start (monitored state)
Process Stop (not monitored state)
Execution Failed: When the process state changes from Monitored to Execution failed, a trap is sent.
Does Not Exist: When the process state changes from Monitored to Does not exist, a trap is sent.

The host-resources-mib mentioned does not have states that align to this. www.cisco.com/c/en/us/td/docs/voice_ip_comm/pgw/7/mibs/guide/7MIB_Ch4.html

It has:

hrDeviceStatus OBJECT-TYPE

SYNTAX INTEGER {

unknown(1),

running(2),

warning(3),

testing(4),

down(5)

Is there a mapping, or am I looking in the wrong place?

Kind regards, David

thomas · ‎02-28-2020

SNMP Traps to Monitor Cisco ISE > Table 2. Process Monitoring SNMP Traps in Cisco ISE says

HOSTRESOURCES- MIB::hrSWRunName = STRING: "redis-server:Running"

Cisco ISE sends traps using the OID of hrSWRunName that belongs to the HOST-RESOURCES MIB and sets the OID value as < PROCESS NAME > - < PROCESS STATUS >, for example, runtime - running.

Looking in the HOST-RESOURCES-MIB that you referenced, I see hrSWRunName is part of a table

hrSWRunTable :
HrSWRunEntry ::= SEQUENCE {
    hrSWRunIndex INTEGER,
    hrSWRunName InternationalDisplayString,
    hrSWRunID ProductID,
    hrSWRunPath InternationalDisplayString,
    hrSWRunParameters InternationalDisplayString,
    hrSWRunType INTEGER,
    hrSWRunStatus INTEGER
}

And later in the MIB it says

hrSWRunStatus OBJECT-TYPE
SYNTAX INTEGER {
    running(1),
    runnable(2), -- waiting for resource (CPU, memory, IO)
    notRunnable(3), -- loaded but waiting for event
    invalid(4) -- not loaded
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The status of this running piece of software. Setting this value to invalid(4) shall cause this software to stop running and to be unloaded."

which looks accurate to me.

You quoted hrDeviceStatus and not hrSWRunStatus.

View solution in original post

Cristian Matei · ‎02-27-2020

Hi,

Never tried looking in the MIB's, but i would say the answer lies in the documentation:

Cisco ISE sends traps using the OID of hrSWRunName that belongs to the HOST-RESOURCES MIB and sets the OID value as < PROCESS NAME > - < PROCESS STATUS>, for example, runtime - running

Regards,

Cristian Matei.

dmindel · ‎02-28-2020

The fist reply is appreciated but doesn't answer the question: the traps sent, there appears to be a mismatch regarding the states between the documentation and MIB. Also looking for confirmation on the process names. These are from the doc, so already familiar wth the doc.

thomas · ‎02-28-2020

SNMP Traps to Monitor Cisco ISE > Table 2. Process Monitoring SNMP Traps in Cisco ISE says

HOSTRESOURCES- MIB::hrSWRunName = STRING: "redis-server:Running"

Cisco ISE sends traps using the OID of hrSWRunName that belongs to the HOST-RESOURCES MIB and sets the OID value as < PROCESS NAME > - < PROCESS STATUS >, for example, runtime - running.

Looking in the HOST-RESOURCES-MIB that you referenced, I see hrSWRunName is part of a table

hrSWRunTable :
HrSWRunEntry ::= SEQUENCE {
    hrSWRunIndex INTEGER,
    hrSWRunName InternationalDisplayString,
    hrSWRunID ProductID,
    hrSWRunPath InternationalDisplayString,
    hrSWRunParameters InternationalDisplayString,
    hrSWRunType INTEGER,
    hrSWRunStatus INTEGER
}

And later in the MIB it says

hrSWRunStatus OBJECT-TYPE
SYNTAX INTEGER {
    running(1),
    runnable(2), -- waiting for resource (CPU, memory, IO)
    notRunnable(3), -- loaded but waiting for event
    invalid(4) -- not loaded
}
ACCESS read-write
STATUS mandatory
DESCRIPTION
"The status of this running piece of software. Setting this value to invalid(4) shall cause this software to stop running and to be unloaded."

which looks accurate to me.

You quoted hrDeviceStatus and not hrSWRunStatus.

dmindel · ‎03-05-2020

Thank you. So do we think that any time the state changes the trap is sent? For any of the processes?

I'm trying to understand what the processes do (so that we can properly prioritize these). The documentation lists app-server, rsyslog, redis-server, ad-connector, mnt-collector, mnt-processor, ca-server, est-server, elasticsearch. I can guess with some (rsyslog, ad-connector, ca-server), not the rest.

The states you mention do not match the states in the documentation. Thoughts on that?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_admin_guide_27/b_ise_admin_guide_27_chapter_011000.html#id_17078

Processes:

.1.3.6.1.2.1.25.4.2.1.2

HOST-RESOURCES-MIB::hrSWRunName

A textual description of this running piece of software, including the manufacturer, revision, and the name by which it is commonly known. If this software was installed locally, this should be the same string as that used in the corresponding hrSWInstalledName. The services taken into consideration are app-server, rsyslog, redis-server, ad-connector, mnt-collector, mnt-processor, ca-server est-server, and elasticsearch.

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (63692139) 7 days, 8:55:21.39 SNMPv2-MIB::snmpTrapOID.0 = OID: HOSTRESOURCES- MIB::hrSWRunName HOSTRESOURCES- MIB::hrSWRunName = STRING: "redis-server:Running"

The states are in the mentioned/attached host-resources-mib):