Purpose
Provide a SNMP trap handling solution that can scale to 300 traps per second.
Overview
This solution leverages snmptrapd to initially pull the trap off the wire, apply access control, translate, then forward it to rsyslog. rsyslog then puts the translated trap in a log file to be processed by opEvents. opEvents then applies filtering, parsing and actions as appropriate.
SNMP Trap Processing - Line Diagram snmptrapd--> rsyslog--> /var/log/nmis/syslogSnmpTrap.log --> opEvents --> Blacklist --> EventParserRules --> clarogtSnmpTrapParserPlugin.pm
Deployment Steps
Step #1 - Configure snmptrapd to forward traps to rsyslog
Below is an example of configuring snmptrapd to send traps to rsyslog. The '-Ls' flag tells snmptrapd to send logging output to syslog. Using '-Ls 2' specifies that snmptrapd will send it with the local2 facility value. The facility value is what rsyslog keys on for routing decisions.
/etc/sysconfig/snmptrapd
OPTIONS="-n -Ls 2 -p /var/run/snmptrapd.pid -m ALL -M /usr/local/nmis8/mibs/traps"