Purpose
Provide a SNMP trap handling solution that can scale to 300 traps per second.
Overview
This solution leverages snmptrapd to initially pull the trap off the wire, apply access control, translate, then forward it to rsyslog. rsyslog then puts the translated trap in a log file to be processed by opEvents. opEvents then applies filtering, parsing and actions as appropriate.
SNMP Trap Processing - Line Diagram snmptrapd--> rsyslog--> /var/log/nmis/syslogSnmpTrap.log --> opEvents --> Blacklist --> EventParserRules --> clarogtSnmpTrapParserPlugin.pm
Deployment Steps
Step #1 - Configure snmptrapd to forward traps to rsyslog
Below is an example of configuring snmptrapd to send traps to rsyslog. The '-Ls' flag tells snmptrapd to send logging output to syslog. Using '-Ls 2' specifies that snmptrapd will send it with the local2 facility value. The facility value is what rsyslog keys on for routing decisions. Please review the snmptrapd and snmpcmd man pages.
OPTIONS="-n -Ls 2 -p /var/run/snmptrapd.pid -m ALL -M /usr/local/nmis8/mibs/traps"
Step #2 - Configure rsyslog to route traps into a specified log file
We need the traps to be placed into a specified log file that opEvents will process. The following example states that all messages with a facility of local2 will be placed in the /usr/local/nmis8/logs/snmptrap.log file.
local2.* /usr/local/nmis8/logs/snmptrap.log