SNMP / HP Openview and IPS 4235

Unanswered Question
Mar 19th, 2008

I'm trying to get triggered events from our IPS 4235 to report in HPOV. I've configured SNMP and see IPS system events in OpenView. I've updated the signatures that show up in the events database to include the "Request SNMP Trap. However, I don't see any signature triggered events. From what I've read, this should be working. Any thoughts?

Thanks,

Bert

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mkodali Wed, 03/19/2008 - 14:52

Did you also set enable-notifications to true in the SNMP configuration on the sensor? Can you pl paste both the SNMP config and the signature config to make sure your edits are correct.

thx

Madhu

bertfukuda Fri, 03/21/2008 - 08:42

Madhu,

I have enabled SNMP gets/set, Enabled SNMP traps (have select Fatal, Error & Warning), and Enabled detailed traps for alerts. On my signatures, I have added the action "request SNMP trap". Is there something else I need to do?

Thanks,

bert

mkodali Fri, 03/21/2008 - 08:49

I am assuming you also configured the trap-destinations in the notification configuration as the OpenView station besides the community strings for read and write. Make sure the signatures are seen on cli as being fired. Otherwise that's all we do to get the traps sent.

Another quick way to test the same is adding a gobal override for request-snmp-trap in "service event-action-rules". This setting will send traps for every alert even if you have not set the event-action on signatures to request-snmp-trap. You can also verify the statistics under "show statistics notification" to confirm the number of gets, sets and traps.

thx

Madhu

bertfukuda Fri, 03/21/2008 - 09:16

Right, I have the ip address of our HPOV in the notification configuration. I checked the stats, 20 errors have been sent and 14228 alerts have been sent.

My service notification is configure as such:

trap-destination

trap-community-name

trap-port 162

exit

error-filter warning|error|fatal

enable-detail true

enable-notification true

enable-get-set true

By the way, are receiving the error messages being sent from the IDS.

Thanks,

Bert

mkodali Fri, 03/21/2008 - 09:28

Appears like there is no issue on the Sensor end as per the stats. A packet snoop on your OpenView station (if permitted) would help you to debug on the packets recieved. Also I am assuming you have complied the new CIDS MIB fine on the OpenView. If you have any other management tool handy like traprcv you can confirm the reciept of traps to eliminate the sensor problem.

bertfukuda Fri, 03/21/2008 - 09:29

Thanks for the help. I'll see what I can do to figure this out and let you know what the solution was.

Bert

bertfukuda Fri, 03/21/2008 - 09:51

I have not compiled anything for Openview. Do you know where I can get the latest MIB?

Thanks,

Bert

Actions

This Discussion