cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
780
Views
0
Helpful
9
Replies

SNMP / HP Openview and IPS 4235

bertfukuda
Level 1
Level 1

I'm trying to get triggered events from our IPS 4235 to report in HPOV. I've configured SNMP and see IPS system events in OpenView. I've updated the signatures that show up in the events database to include the "Request SNMP Trap. However, I don't see any signature triggered events. From what I've read, this should be working. Any thoughts?

Thanks,

Bert

9 Replies 9

mkodali
Cisco Employee
Cisco Employee

Did you also set enable-notifications to true in the SNMP configuration on the sensor? Can you pl paste both the SNMP config and the signature config to make sure your edits are correct.

thx

Madhu

Madhu,

I have enabled SNMP gets/set, Enabled SNMP traps (have select Fatal, Error & Warning), and Enabled detailed traps for alerts. On my signatures, I have added the action "request SNMP trap". Is there something else I need to do?

Thanks,

bert

I am assuming you also configured the trap-destinations in the notification configuration as the OpenView station besides the community strings for read and write. Make sure the signatures are seen on cli as being fired. Otherwise that's all we do to get the traps sent.

Another quick way to test the same is adding a gobal override for request-snmp-trap in "service event-action-rules". This setting will send traps for every alert even if you have not set the event-action on signatures to request-snmp-trap. You can also verify the statistics under "show statistics notification" to confirm the number of gets, sets and traps.

thx

Madhu

Right, I have the ip address of our HPOV in the notification configuration. I checked the stats, 20 errors have been sent and 14228 alerts have been sent.

My service notification is configure as such:

trap-destination

trap-community-name

trap-port 162

exit

error-filter warning|error|fatal

enable-detail true

enable-notification true

enable-get-set true

By the way, are receiving the error messages being sent from the IDS.

Thanks,

Bert

Appears like there is no issue on the Sensor end as per the stats. A packet snoop on your OpenView station (if permitted) would help you to debug on the packets recieved. Also I am assuming you have complied the new CIDS MIB fine on the OpenView. If you have any other management tool handy like traprcv you can confirm the reciept of traps to eliminate the sensor problem.

Thanks for the help. I'll see what I can do to figure this out and let you know what the solution was.

Bert

I have not compiled anything for Openview. Do you know where I can get the latest MIB?

Thanks,

Bert

Here is the MIB downloaded from CCO and attached.

The CCO link to download any MIB is http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2

Rgds

Madhu

Awesome! Thanks Madhu!

Bert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: