SNMP Trap Monitor

This section is intended for the BMC Defender Server users who operate the system, as well as system administrators responsible for installing the software components. This information should also be of interest to program developers and administrators who want to extend the range of the BMC Defender Server system's role within an enterprise to include SNMP Trap monitoring.

The SNMP Trap Monitor extends the BMC Defender Server system to permit reception of SNMP Traps and allows BMC Defender Server to actively monitor network devices that issue SNMP traps, including UNIX devices, Windows platforms, and network routers.

The SNMP Trap Monitor background process, CO-systrap.exe, continuously listens for traps at the standard UDP port number of 162. When a trap is received (that matches specific user-defined criteria) the CO-systrap.exe program composes a syslog message and then sends this message to the BMC Defender Server to aware the server about the network and enterprise state.

The SNMP Trap Monitor background process is configured and monitored using a tightly coupled integration with the main BMC Defender Server web interface. You can configure one of the several possible message formats and provide basic information to filter incoming traps, such as the trap community name and other criteria.

Features

SNMP Traps are a standard message format, issued by a variety of different devices, that are typically used to indicate state changes and other information. Each SNMP Trap is an encoded (non-human readable) message that contains the sending IP address, a numeric identifier of the trap type, an indicator of the general system (or sub-system) type, and various arguments. These components are described as follows:

• IP address—Each SNMP Trap contains the IP address of the related device (that might be different from the IP address of the device that sends the trap). This IP address indicates the affected or associated network device that is the subject of the trap.
• Community name—Each SNMP Trap contains a user-defined password. This password is referred to (in the nomenclature of SNMP) as a Trap Community Name and BMC Defender Server can use it to limit the range of traps to a specific group of devices that know the configured trap community name of the BMC Defender Server. (By default, BMC Defender Server accepts any trap community name, unless this configuration is specifically changed as discussed in further sections.)

• Enterprise OID—Each SNMP Trap contains an identifier of the system or subsystem related to the trap and is referred to (in the nomenclature of SNMP) as the Object Identifier or OID. The Enterprise OID and trap number (described next) uniquely identify the SNMP Trap in the universe of possible traps. BMC Defender Server automatically translates the Enterprise OID into a human readable description.

• Trap number—Each SNMP Trap contains a trap number that identifies the trap type. These trap numbers identify coldstart, warmstart, linkup, linkdown, authentication, neighbor loss and enterprise traps. In particular, the enterprise trap can be extended to include any number of vendor-specific traps, each identified with a second number.

• Variable bindings—Each SNMP Trap can contain zero or more additional pieces of information. This additional information is referred to (in the nomenclature of SNMP) as a Variable binding, where each variable binding contains an arbitrary binding object and value. BMC Defender Server automatically formats variable bindings into a single human-readable message. 

The network device controls the actual SNMP Trap transmission, and the administrator should configure each managed device with a Trap Destination and Trap Community value. The specific details of this configuration process vary and depend on the network device type and vendor instructions.

A large amount of information exists related to SNMP network management. A detailed discussion of all aspects of SNMP Trap reception is beyond the scope of this section. Users should consult third-party documentation for more information, or contact BMC Support for training.

The SNMP Trap Monitor contains the following components:

• CO-systrap.exe program—This is the trap listening process that is responsible for receiving an SNMP Trap, converting the message to syslog format, and resending the trap to BMC Defender server. The process is configured to start on the System > Schedule tab, documented in further sections.
• Configuration tab—This is a support tab, available under the Messages > Adapters > Traps tab of the BMC Defender Server web interface as part of the Windows component installation. This tab allows the operator to configure the various parameters related to the SNMP Trap reception.
• Configuration data—This is ancillary data that is used by the SNMP Trap process, such as a list of enterprise OIDs and their corresponding human-readable names. The end-user can modify this data, discussed in further sections.

System diagram

The SNMP Trap Monitor process consists of a single background process. This process reads configuration data that has been specified by the operator. The process awaits reception of SNMP Trap messages. When a device sends an SNMP Trap, the trap is converted to a syslog message and then sent to the BMC Defender Server.

The following diagram illustrates the CO-Systrap.exe process (installed and configured as described in the next topics) continuously listening for SNMP Traps issued from network devices. The devices can be Windows platforms, UNIX servers, routers, switches, and other network equipment.

You can configure and monitor the background process by using the Messages > Adapters > Traps tab of the main BMC Defender Server web interface.

Output message formats

SNMP Trap messages are generally not human readable. BMC Defender Server converts the trap into a syslog message based upon various techniques, including parsing the optional variable bindings associated with many SNMP Traps to compose a textual message. On the Messages > Adapters > Traps tab, the operator can specify one of the three different message formats that follow:

• Ergonomic format—This output format consists of the enterprise ID, followed by the trap identifier, and any textual bindings. If there are no textual bindings, these are appended to the message. It is the most human-readable type of message. The default message is the easiest to correlate.
• Brief format—This output format is the least readable and briefest type of format. The format consists of a series of object ID and values in the order that they are listed, omitting any values that are null or non-textual.
• Bind Ordered format—This output format is similar to the Ergonomic format except that variable bindings are listed in the order in which they are received (not necessarily the most logical or pertinent order to the user). This value might be useful when normalizing messages, or when a particular message binding is being parsed or tested by the correlation engine.
• Include source IP address in message—This setting adds the trap address to the message. This might be useful if the message address is overridden by other parts of BMC Defender Server . The source IP address of the message, contained in the trap, is added to the message.

• Include trap community in message—This setting adds the trap community value to the message useful for identifying the particular community name.

  Important

  The trap community can be used to filter out traps from the receiver, but by default the system accepts traps from any location. If the value of Match SNMP Trap community contains a wildcard, this setting allows the operator to identify the exact community name contained in the trap.

The default setting in the output message format selects the default setting for the system, that is the Ergonomic format on most systems. Generally, the user should start with the Ergonomic format, and make adjustments only if specifically required by the site.

This section provides information about the following topics: