1. SNMP Protocol
1. Protocol Overview
SNMP is widely used in daily operations. Most network devices and storage devices support SNMP, which can be used to monitor and manage device status.
2. Main Components
SNMP consists of three main parts:
SNMP Agent: handles SNMP requests, mainly get and set. It can query device runtime status, which is common, or change configuration, which is less common. It uses UDP port 161 by default.
SNMP Trap: an SNMP notification message actively sent to the manager. Device failures, port down events, and similar issues are sent to the receiver in real time. It uses UDP port 162 by default.
SNMP MIB: MIB stands for Management Information Base. It is a hierarchical collection of information that defines the attributes of managed objects inside a device.
2. SNMP Trap Notification
1. Introducing SNMPTT
SNMPTT (SNMP Trap Translator) is a Perl program for processing SNMP Trap messages. It can be used together with snmptrapd from www.net-snmp.org. The basic flow is:
SNMPTT processes trap messages received by net-snmp through the snmptt command or snmptthandler. After parsing messages, it can write them to files or databases.
2. Install SNMPTT
The operating system in this example is Debian 12 x64. Install SNMPTT and related components with apt:
apt-get install snmptt libnet-syslogd-perl libnet-ip-perl3. Convert MIB Files to Rule Files
If an SNMP Trap message is not translated, the raw content may look like this:
{
"Version": 2,
"TrapType": 0,
"OID": null,
"Other": null,
"Community": "public",
"Username": "",
"Address": "172.16.1.64:49692",
"VarBinds": {
".1.3.6.1.2.1.1.3.0": 7908527690000000,
".1.3.6.1.2.1.2.2.1.1.18": 18,
".1.3.6.1.2.1.2.2.1.2.18": "Vlanif103",
".1.3.6.1.2.1.2.2.1.7.18": 2,
".1.3.6.1.2.1.2.2.1.8.18": 2,
".1.3.6.1.6.3.1.1.4.1.0": [1, 3, 6, 1, 6, 3, 1, 1, 5, 3]
},
"VarBindOIDs": [
".1.3.6.1.2.1.1.3.0",
".1.3.6.1.6.3.1.1.4.1.0",
".1.3.6.1.2.1.2.2.1.1.18",
".1.3.6.1.2.1.2.2.1.7.18",
".1.3.6.1.2.1.2.2.1.8.18",
".1.3.6.1.2.1.2.2.1.2.18"
]
}To understand the meaning of these OIDs and values, compare them with the device MIB file and translate the message. SNMPTT loads configuration files to translate trap messages.
SNMPTT provides snmpttconvertmib, a Perl script that reads a MIB file and converts TRAP-TYPE (v1) or NOTIFICATION-TYPE (v2) definitions into SNMPTT-readable configuration. Basic command:
/usr/bin/snmpttconvertmib --in=/usr/share/snmp/mibs/CPQHOST.mib --out=/etc/snmp/snmptt.conf.compaq --net_snmp_perlUpload the SNMP Trap MIB file to /usr/share/snmp/mibs/. This example uses CPQHOST.mib; /etc/snmp/snmptt.cong.compaq is the converted output file.
Devices often provide multiple MIB files. For easier management, convert them into one configuration file with a batch command:
for i in HUAWEI*
do
/usr/bin/snmpttconvertmib --in=$i --out=/etc/snmp/snmptt.conf.huawei --net_snmp_perl
doneAfter conversion, configure the result as an SNMPTT parsing file.
4. Configure SNMPTT
SNMPTT has two configuration files:
/etc/snmp/snmptt.ini: main SNMPTT configuration./etc/snmp/snmptt.conf: default policy file, including basic port up/down rules.
Modify the default snmptt.ini configuration. The main fields are:
mode = standalone
multiple_event = 0
net_snmp_perl_enable = 1
translate_log_trap_oid = 1
syslog_enable = 0At the end of the file, add the rule file generated by snmpttconvertmib:
[TrapFiles]
# A list of snmptt.conf files (this is NOT the snmptrapd.conf file). The COMPLETE path
# and filename. Ex: '/etc/snmp/snmptt.conf'
snmptt_conf_files = <<END
/etc/snmp/snmptt.conf
/etc/snmp/snmptt.cong.compaq
ENDSNMPTT has two modes:
standalone: readssnmptt.iniand callssnmptthandlereach time a trap message is received.daemon: a daemon mode. When SNMP Trap starts, it readssnmptt.inionce during initialization.
The modes differ. Choose the one that fits your use case. See the official SNMPTT mode documentation.
Because this is a test setup and snmptt.ini is modified frequently, daemon mode would require restarting SNMPTT after each change. This example uses standalone mode.
5. Configure snmptrapd
SNMP Trap messages are proactive notifications, so a service must be configured to receive traps from devices. After snmptrapd receives a trap, it uses traphandle to call SNMPTT for processing.
Install snmptrapd:
apt-get install snmptrapd -yModify /etc/snmp/snmptrapd.conf and add:
disableAuthorization yes
traphandle default /usr/sbin/snmpttStart the service:
systemctl start snmptrapd
systemctl enable snmptrapd6. Rule Configuration
After the system receives a trap, snmptrapd passes it to SNMPTT. SNMPTT processes the trap according to configured rules.
First, add a default rule in snmptt.conf:
EVENT default .* "Normal" "Warning"
EXEC /usr/local/bin/send_snmptt_alert.sh snmptrap "$s" "$aR" "$o" "$*"Any unmatched trap executes /usr/local/bin/send_snmptt_alert.sh. If you need to execute commands for specific SNMP Traps, configure a rule like this. A typical trap rule has this structure:
EVENT hwSecLOGINSucced .1.3.6.1.4.1.2011.6.122.62.2.1 "Status Events" Normal
FORMAT $aA $*
SDESC
The user login succeeded.
Variables:
1: hwSecLOGINUser
Syntax="OCTETSTR"
Descr="The user name."
2: hwSecLOGINIP
Syntax="OCTETSTR"
Descr="The User IP address."
3: hwSecLOGINTime
Syntax="OCTETSTR"
Descr="The User login time."
4: hwSecLOGINType
Syntax="OCTETSTR"
Descr="The User access type."
5: hwSecLOGINLevel
Syntax="INTEGER32"
Descr="The User login level."
EDESC
......EVENTdefines the event type and corresponding SNMP Trap OID.FORMATformats the SNMP Trap alert content using SNMPTT internal variables.SDESCtoEDESCcontains the event description.EXECcalls an external script when the event is received.
After FORMAT, add:
EXEC /usr/local/bin/send_snmptt_alert.sh snmptrap "$s" "$aR" "$o" "$*"When this trap is received, /usr/local/bin/send_snmptt_alert.sh runs with the following parameters. These parameters are SNMPTT built-ins and can also be used in FORMAT. See http://snmptt.sourceforge.net/docs/snmptt.shtml#SNMPTT.CONF-FORMAT. Common examples:
$aA: SNMP Trap agent IP, that is, the source IP.$o: numeric OID.$*: all variables.$n: wherenis a number, indicating the variable order.
At this point, SNMP Trap reception and translation are complete.
3. Flashduty Configuration
1. Add an Integration
Log in to Flashduty. Create a workspace, open the integration center, choose Standard Alert integration, create an SNMP integration, and record the push URL.
2. Create the Sending Script
Create /usr/local/bin/send_snmptt_alert.sh with the following content:
#!/bin/bash
# Parameters are passed from SNMPTT
INTEGRATION_KEY="XXXXXXXXXXX" # Replace with your integration_key
SERVICE=$1
STATUS=$2
RESOURCE=$3
METRIC=$4
DESCRIPTION=$5
# Define API URL
API_URL="https://api.flashcat.cloud/event/push/alert/standard?integration_key=$INTEGRATION_KEY"
# Build POST JSON payload
POST_DATA=$(cat <<EOF
{
"event_status": "$STATUS",
"alert_key": "$METRIC",
"description": "$DESCRIPTION",
"title_rule": "$RESOURCE::$SERVICE",
"labels": {
"service": "$SERVICE",
"resource": "$RESOURCE",
"metric": "$METRIC"
}
}
EOF
)
# Send POST request with curl
curl -X POST "$API_URL" \
-H "Content-Type: application/json" \
-d "$POST_DATA" Grant execute permission. INTEGRATION_KEY is the key from the platform-provided push URL:
chmod a+x /usr/local/bin/send_snmptt_alert.sh3. Test the Integration
Configure a switch to send SNMP Trap messages to the SNMP Trap server:
snmp-agent trap enable
snmp-agent target-host trap address udp-domain 172.16.66.16 params securityname cipher A_a123456SSH into the switch to generate a trap message. Then log in to Flashduty and you should see the alert:
View details:
4. Summary
SNMP Trap notifications mainly depend on vendor-provided trap MIB files. By parsing and translating those file fields, you can build recognizable alert content. Trap messages are useful because they are real-time and widely supported. Network devices, firewalls, BMCs, and many other systems support Trap push messages. When configuring SNMP Trap, pay attention to trap severity and filter out trap messages you do not need.
