03-19-2008 01:48 PM - edited 03-10-2019 01:41 PM
I'm trying to get triggered events from our IPS 4235 to report in HPOV. I've configured SNMP and see IPS system events in OpenView. I've updated the signatures that show up in the events database to include the "Request SNMP Trap. However, I don't see any signature triggered events. From what I've read, this should be working. Any thoughts?
Thanks,
Bert
03-19-2008 02:52 PM
Did you also set enable-notifications to true in the SNMP configuration on the sensor? Can you pl paste both the SNMP config and the signature config to make sure your edits are correct.
thx
Madhu
03-21-2008 08:42 AM
Madhu,
I have enabled SNMP gets/set, Enabled SNMP traps (have select Fatal, Error & Warning), and Enabled detailed traps for alerts. On my signatures, I have added the action "request SNMP trap". Is there something else I need to do?
Thanks,
bert
03-21-2008 08:49 AM
I am assuming you also configured the trap-destinations in the notification configuration as the OpenView station besides the community strings for read and write. Make sure the signatures are seen on cli as being fired. Otherwise that's all we do to get the traps sent.
Another quick way to test the same is adding a gobal override for request-snmp-trap in "service event-action-rules". This setting will send traps for every alert even if you have not set the event-action on signatures to request-snmp-trap. You can also verify the statistics under "show statistics notification" to confirm the number of gets, sets and traps.
thx
Madhu
03-21-2008 09:16 AM
Right, I have the ip address of our HPOV in the notification configuration. I checked the stats, 20 errors have been sent and 14228 alerts have been sent.
My service notification is configure as such:
trap-destination
trap-community-name
trap-port 162
exit
error-filter warning|error|fatal
enable-detail true
enable-notification true
enable-get-set true
By the way, are receiving the error messages being sent from the IDS.
Thanks,
Bert
03-21-2008 09:28 AM
Appears like there is no issue on the Sensor end as per the stats. A packet snoop on your OpenView station (if permitted) would help you to debug on the packets recieved. Also I am assuming you have complied the new CIDS MIB fine on the OpenView. If you have any other management tool handy like traprcv you can confirm the reciept of traps to eliminate the sensor problem.
03-21-2008 09:29 AM
Thanks for the help. I'll see what I can do to figure this out and let you know what the solution was.
Bert
03-21-2008 09:51 AM
I have not compiled anything for Openview. Do you know where I can get the latest MIB?
Thanks,
Bert
03-21-2008 11:08 AM
Here is the MIB downloaded from CCO and attached.
The CCO link to download any MIB is http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2
Rgds
Madhu
03-21-2008 12:45 PM
Awesome! Thanks Madhu!
Bert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide