SNMP Trap Processing

SNMP traps are generated when any event occurs, including any network or hardware issues. Site24x7 processes SNMP trap messages to detect issues quickly and send notifications to admins for faster troubleshooting and resolution.

Here is a video to demonstrate SNMP trap processing in Site24x7:

What are SNMP traps?

An SNMP trap is any event that's generated and sent by a network device to a network management system (NMS) whenever a change of state or anomaly is detected. An NMS like Site24x7 receives the event messages generated by these devices. Site24x7 processes these traps, displays them, and instantly notifies you based on the thresholds configured for different traps.

SNMP trap processing is supported only from On-Premise Poller versions 3.3.0 and above.

SNMP v1 traps

Basic SNMP v1 traps generally fall into two broad categories: generic and enterprise traps.

There are six types of generic traps: 

• coldStart: The sending entity has been reinitialized and has a configuration change. In simple terms, the SNMP device has powered on.
• warmStart: Similar to coldStart, but the configuration remains unaltered because the device is already on. In simple terms, the SNMP device has reloaded the software.
• linkUp: One of the connected interfaces has changed states from down to up.
• linkDown: One of the connected interfaces has changed states from up to down.
• authenticationFailure: An SNMP agent gets a request from an unrecognized community name.
• egpNeighborloss: The agent cannot communicate with its Exterior Gateway Protocol (EGP) peer.
• enterpriseSpecific: Vendor-specific error conditions and error codes.

SNMP v2c/v3 traps

SNMP v2c/v3 traps are classified based on the trap OID, as defined in the vendor's management information base (MIB).

Configuring SNMP traps

You have to configure your device to send SNMP traps to Site24x7 by specifying the IP and the port. The traps should be received via User Datagram Protocol (UDP) port 162, so you must ensure that this port is free.

 Enter the IP address of the On-Premise Poller used to monitor the desired device. 

Trap Processors view

Trap processors process the raw SNMP traps sent by network devices and displays them as simple, understandable messages. You can view the list of natively supported traps in the Trap Processors view. You can also add new traps and edit or delete existing traps.

To navigate to the Trap Processors view:

1. Log in to your Site24x7 account.
2. Navigate to Network > Trap Processors.
   
   Figure 1. The Trap Processors view 
3. Click a Trap Processor to view details like the Trap Processor Name, Description, SNMP Version, Generic Type, Source, Severity, Daily Limit, and Associated Devices.
   
   Figure 2. After clicking a trap processor.
4. Click the pencil icon in the Action column to edit a Trap Processor. Here, you can edit the values for the following fields: Description, Generic Type, Source, Severity, Threshold Criteria, Rearm Criteria, Daily Limit, and Apply to Associated Devices.
5. 
   Figure 3. Editing a trap processor.

View device-specific traps by clicking on a device name. You can access this from Network > Network Devices.

Adding trap processors

You can create and configure trap processors from the Trap Processors view.

1. Navigate to Network > Trap Processors.
2. Click Add Trap Processor(see Figure1) and enter the following:
   • Trap Processor Name: Enter a name to identify your trap.
   • Description: Enter a description to define your trap.
   • SNMP Version: Select your device's SNMP version (v1 or v2c/v3).
   • Generic Type: For SNMP v1, enter the generic type. These are generic trap types generated by SNMP v1 agents and defined by SNMP. If your SNMP version is v2c/v3, then enter your trap OID. Trap OIDs are object identifiers that identify which type of trap is being received. 
   • Specific Type: When you choose enterpriseSpecific(6) as the generic type, you can enter the specific type.
   • Source: This option is useful if the trap is forwarded from another source. It is the IP from which Site24x7 receives traps and can either be the source IP of the device or the agent that generates traps. Choose $Source when the trap is directly sent to the On-Premise Poller machine, and choose $Agent when it is forwarded.
   • Severity: Select one of the options from the drop-down list: Clear, Trouble, Critical, or Down. If you select Trouble, Critical, or Down, you need to specify the threshold and rearm criteria.
   • Daily Limit: Site24x7 can process up to 500 traps per day. If you need to update the limit, contact our support team at support@site24x7.com.
   • Click Save.
3. You can also directly import the above from a MIB browser.
   • Generic MIBs: These are available by default in Site24x7. Select the Vendor and MIB from the drop-down.
     
     Figure 4. Adding trap processors with generic MIBs.
   • Custom MIBs: You can upload MIBs from your system and use them to add custom performance counters.
     • On-Premise Poller: Selecting an On-Premise Poller will list all the MIBs inside the Poller-home/NetworkPlus/mibs folder. Select the On-Premise Poller that stores the MIB files you uploaded. If you select Recently Viewed, you'll see all the MIBs that were uploaded or recently used. 
     • MIB: Select an already uploaded MIB from the drop-down menu or click + to select an option from the left pane and edit the values to add it as a new one.
       
       Figure 5. Adding trap processors from custom MIBs.
       In the Upload MIB screen, select a file and upload it from your computer. 
       
       Figure 6. Upload MIB screen.
   • Trap OID: The OID for the selected trap will be displayed here. You can also edit it if required. If you have selected the SNMP Version as v2c/v3, then you have the option to add multiple trap OIDs in a single trap processor for viewing related traps. To do so, click the plus icon. 
     
     

     To collect data from multiple Trap OID(s), you must use the latest version of On-Premise Poller (version 5.5.1). Otherwise, even though you'll be able to add multiple traps, only the first value will be collected.  
   • Source: This option is useful if the trap is forwarded from another source. It is the IP from which Site24x7 receives traps and can either be the source IP of the device or the agent that generates traps. Choose $Source when the trap is directly sent to the On-Premise Poller machine, and choose $Agent when it is forwarded.
   • Severity: Select one of the following options from the drop-down list: Clear, Down, or Trouble. If you select Down or Trouble, you need to specify the threshold and rearm criteria. 
   • Daily limit: Site24x7 can process up to 500 traps per day. If you need to update the limit, contact our support team at support@site24x7.com. 
4. Click Save.

You can view added trap processors in the SNMP Traps view along with their current statuses.

Threshold and rearm criteria

Figure 7. Setting threshold criteria and rearm criteria while adding trap processors.

You can set multiple conditions for threshold and rearm criteria when you select Down or Trouble for the severity. 

Threshold criteria:

Set the threshold criteria and receive a notification when that threshold is breached.

Rearm criteria: 

Rearm criteria is the value that determines whether the monitor has been restored to normal condition. When a condition's value crosses the Rearm value, Trouble or Down statuses change to Clear.

Example: Suppose the trouble threshold condition for a monitor is >65. If the value reaches 70, you'll receive an alert, and the monitor status will change to Trouble. Subsequently, when the value falls below the threshold—62, for instance—you'll receive an alert about the monitor returning to its normal state. For any subsequent threshold breaches or reverts, you'll keep receiving alerts. 

To avoid all these alerts, you can enter a rearm value. By entering a rearm value (e.g., 50), you will receive an alert only if the threshold reaches a value below the rearm value, as the monitor status changes will change to Clear only if this condition is satisfied.

You can set multiple threshold conditions and select whether they're triggered by:

• All the conditions.
• Any of the conditions.
• Individual conditions.

Each threshold condition is usually defined as Varbind, Condition, and Value (multiple conditions can be added with AND/OR options), with the following attributes:

• Varbind: Select a necessary Varbind. Varbinds are variable bindings denoting the number of packets included in an SNMP packet of a received trap message. Each Varbind is identified by its OID, type, and value.
• Condition: Select any of the following conditions from the drop-down list: Equals, Not equals, Starts with, Contains, Doesn't contain, =, !=, >, >=, <, or <=. You can also select Regular Expression to provide your own condition. Make sure you choose the appropriate numeric or string conditions based on the Varbind.
• Value: Enter the appropriate numeric or string value. 

The SNMP Traps view

The configured and added trap processors are listed in the SNMP Traps view based on their current statuses: Down, Critical, Trouble, or Up. In this view, you can quickly see the count of total and active trap processors, as well as the number of trap processors remaining as per your license. 

To view SNMP Traps:

1. Navigate to Network > SNMP Traps.
2. Select a trap to view details like the time of receipt and message.
3. Click the thumbs up icon to acknowledge the trap. 
   For instance, in Figure 8, the AuthenticationFailure trap is in trouble, which will affect the device's status. This trap is unlikely to occur after logging in to a device. Since there is no option to auto-resolve the alarm created by this trap, you can resolve it manually by acknowledging this trap. Once acknowledged, the device status will change to green if this was the only trap that was causing trouble. 
   
   Figure 8. The SNMP Traps view. 

Unsolicited Traps

Any SNMP trap that hasn't been configured for monitoring is collected and displayed as a list of Unsolicited Traps. These can be viewed and added from the SNMP Traps tab as shown in Figure 8.

You can add an SNMP trap by clicking the plus + icon and following the instructions described in the Adding trap processors guideline. While creating the Trap Processor, you can select the devices in which that trap has to be monitored. After this, you can view the data under the SNMP Traps tab.

Figure 9. The Unsolicited Traps view. 

Editing and deleting trap processors

All the added trap processors are listed in the Trap Processors view. You can edit and delete them by clicking the pencil icon or trash bin  icon, respectively.

Device-wise traps

To view the device-specific traps:

1. Navigate to Network > Network Devices.
2. Click the device name, then navigate to the Traps tab to view device-specific traps. Here, you can view the Trap Name, Message, time of receipt (Last Received At), and Status. You can also add trap processors and bulk suspend them. Click the hamburger icon to edit threshold conditions or activate a suspended trap processor (Figure 12).
   
   Figure 10. Device-specific traps.
   
   

   The device status gets updated depending on the trap status. If the trap status shows Trouble, then the device status also changes to Trouble. If the trap status is Critical or Down, the device status changes to Critical. If there are multiple traps with differing statuses, the most severe status is considered for updating the device status. For instance, in Figure 11, since one trap is in trouble, the device status will be updated to Trouble. 

Figure 11. Setting threshold conditions

Related articles

• Configuring a network device to send SNMP traps
• How to use MIB browser
• Testing if the traps are received by Site24x7 On-Premise Poller 
• Custom SNMP monitoring