Ciscoworks LMS 4.0 DFM Custom Traps

canero · ‎03-02-2011

Hello,

We want to use Ciscoworks LMS 4.0 for Access Control List Monitoring. i.e. if we end the ACLs with "log" entry, we may send the ACL deny logs to the Ciscoworks as Syslog or Snmp Trap format.

With "debug snmp packets" command we may observe the packets are sent to the LMS, but the traps don't show up as alarms. Is it possible to observe any trap entry with LMS DFM Fault Manager by customizing the module, because we think the engine of the DFM analyzes the traps and shows some of the traps, not all of the traps are observable.

The command output is as below:

Thanks in Advance,

Best Regards,

Mar 2 10:28:30.028: SNMP: Queuing packet to 10.10.10.1
.Mar 2 10:28:30.028: SNMP: V1 Trap, ent ciscoSyslogMIB.2, addr 10.10.20.1, gen trap 6, spectrap 1
clogHistoryEntry.2.742 = SEC
clogHistoryEntry.3.742 = 7
clogHistoryEntry.4.742 = IPACCESSLOGDP
clogHistoryEntry.5.742 = list 191 denied icmp 10.10.10.1 -> 10.10.20.1 (0/0), 10 packets
clogHistoryEntry.6.742 = 69082382

Martin Ermel · ‎03-09-2011

DFM consumes the traps and decides based on its built-in code-book what to do - rise one of the predefined Events or just silently ignore it. The best DFM can do is forward the trap as-is to another trap receiver.

Perhaps the LMS Syslog-Server can do what you want and lauch automated actions (like scripts or e-mail) based on certain criteria.

But you should take care of the underlying syslog file and keep its size under control with logrot.pl utility.

The online help of LMS should give you more details on the syslog capabilities or this link to the LMS 4.0 Administration Guide:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guide/admin/useNotif.html#wp1075603