|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix |
News | Recommended Links | Reference | TEC Documentation | TEC Rules Programming |
|
If a router detects a trap it generates an SNMP event. The SNMP event can be sent directly to Tivoli SNMP adapter. There are two files that should be configured in order the Tivoli SNMP adapter be able to capture and forward the events:
|
For example Cisco documents the mibs, traps, oid, and other information at this Cisco Web site:
The Tivoli Enterprise Console SNMP adapter recognizes the SNMP traps that are sent by the Cisco routers and maps these SNMP events into Tivoli Enterprise Console events. The SNMP adapter sends the Tivoli Enterprise Console events to the event server for correlation.
Tivoli Risk Manager correlates Cisco router events with other events that come from other types of sensors to provide the Tivoli Risk Manager administrator with a total view of intrusion-detection events.
The SNMP-related classes depend on the classes in the sensor_abstract.baroc and riskmgr.baroc files. The crouter_snmp.baroc file contains the Cisco router class derivatives.
Follow these steps to install and configure the Adapter for Cisco Routers.
For complete instructions on how to install the Tivoli SNMP adapter, refer to the Tivoli Enterprise Console Adapters Guide. When installed, ensure that the adapter can route packets to the event server or Risk Manager Client.
To set up the non-TME SNMP adapter:
cd /test/riskmgr/snmp/etc
ServerLocation=1.2.3.4
Where 1.2.3.4 is the IP address of the event server or the IP address of the Tivoli Risk Manager Client. The Tivoli Risk Manager Client will typically be installed on the same host as the SNMP Adapter.
ServerPort=5529
snmp-trap 162/tcp snmp-trap 162/udp
This section describes tasks for the adapter for Cisco Routers.
Both the adapter for Internet Security System (ISS) RealSecure and the adapter for Cisco Routers use the Tivoli SNMP adapter. Starting the SNMP adapter for ISS RealSecure IDS, also starts the SNMP adapter for the Cisco router.
To manually start the SNMP adapter, change to the directory where you installed the Tivoli SNMP adapter software. Depending on the platform, the default location is as follows:
Windows NT systems:
%LCFROOT%\bin\w32-ix86\tme\tec\adapters\bin\net start tecsnmpadapter
For Windows NT, you can use also use the Control Panel to start the SNMP adapter.
AIX system:
$LCFROOT/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp start
Solaris Operating Environment (Solaris) system:
$LCFROOT/solaris2/TME/TEC/adapters/bin/init.tecad_snmp start
Both the adapter for ISS RealSecure IDS and the adapter for Cisco Routers use the Tivoli SNMP adapter. Stopping the SNMP adapter for ISS RealSecure IDS, also stops the SNMP adapter for the Cisco router because the adapters share common tecad_snmp.cds and tecad_snmp.oid files.
To manually stop the SNMP adapter, change to the directory where you installed the Tivoli SNMP adapter software. Depending on the platform, the default location is as follows:
Windows NT systems:
%LCFROOT%\bin\w32-ix86\tme\tec\adapters\bin\net stop tecsnmpadapter
For Windows NT, you can use also use the Control Panel to stop the SNMP adapter.
AIX system:
/$LCFROOT/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp stop
Solaris system:
/$LCFROOT/solaris2/TME/TEC/adapters/bin/init.tecad_snmp stop
Both the adapter for ISS RealSecure IDS and the adapter for Cisco Routers use the Tivoli SNMP adapter. If you stop the SNMP daemon for ISS RealSecure IDS, you also stop the SNMP daemon for the Cisco router.
To stop the SNMP daemon:
ps -ef | grep snmpd
kill -9 pidWhere pid is the ID of the SNMP daemon
For a non-Tivoli environment (using a non-TME adapter), edit the tecad_snmp.conf configuration file to forward events to the event server.
To edit this file:
ServerLocation=ip_address
Where ip_address is the IP address of the event server or Tivoli Risk Manager Client.
Change the following entry in the UNIX /etc/services file to receive SNMP traps:
snmp-trap 162/tcp # snmp monitor trap port snmp-trap 162/udp # snmp monitor trap port
The SNMP Tivoli Enterprise Console adapter handles SNMP Version 1 traps.
The following is a list of Cisco-specific traps that produce Tivoli Risk
Manager events that are forwarded to the event server:
Enterprise | Type of Trap |
---|---|
1.3.6.1.4.1.9.2.11.1 | logonIntruder |
1.3.6.1.4.1.437.1.1.3 | logonIntruder |
1.3.6.1.4.1.437.1.1.3 | broadcastStorm |
1.3.6.1.4.1.9 | reload |
1.3.6.1.4.1.9 | tcpConnectionClose |
The following is a list of traps that belong to the miscellaneous category
(such as, configuration, topology, port, and root changes):
1.3.6.1.4.1.9.9.43.2 | ciscoConfigManEvent |
1.3.6.1.4.1.9.5 | sysConfigChangeTrap |
1.3.6.1.2.1.47.2 | entConfigChange |
1.3.6.1.2.1.17 | newRoot |
1.3.6.1.2.1.17 | topologyChange |
1.3.6.1.4.1.9.1.111.1.2.3 | cat2600TsDmnNewRoot |
1.3.6.1.4.1.9.1.111.1.2.3 | cat2600TsDmnTopologyChange |
1.3.6.1.4.1.9.2.11.1 | ipAddressChange |
1.3.6.1.4.1.437.1.1.3 | ipAddressChange |
1.3.6.1.4.1.9.5.14.1.1 | ciscoEsStackCfgChange |
1.3.6.1.4.1.9.5.14.4 | ciscoEsPortStrNFwdEntry |
1.3.6.1.4.1.9.5.14.8 | ciscoEsVLANNewRoot |
1.3.6.1.4.1.9.5.14.8 | ciscoEsVLANTopologyChange |
The following is a list of traps that belong to the generic SNMP authentication
failure traps category:
1.3.6.1.2.1.11 | authenticationFailure |
Screen by screen instructions for deploying and configuring a new ACF adapter are shown. These instructions assume that the adapter will only support ITCAM for WebSphere traps and events. Support for other traps requires manually appending the tecad_snmp.cds and tecad_snmp.oid files (not shown).
How to deploy the ITCAM for WebSphere SNMP Adapter configuration and Tivoli Enterprise Console(R) SNMP Adapter using Tivoli Enterprise Console Adapter Configuration Facility.
Dependencies: Framework 3.7.1 or greater, endpoint, Tivoli Enterprise Console 3.8, Tivoli Enterprise Console ACF 3.8 installed.
- Click Create > Region.
- Enter a name for the Policy Region, and click Create & Close.
- Double-click on the Policy Region to open it.
- Select Properties > Managed Resources.
- Move ACP and ProfileManager to the left-hand side and click Set & Close.
- Select Create > ProfileManager.
- Enter a name, and click the Dataless Endpoint Mode checkbox. Click Create & Close.
- Double-click to open the Profile.
- Select Profiles > Subscribers.
- Move the desired endpoint (to receive the SNMP adapter) to the left-hand side and click Set Subscriptions & Close.
- Select Create > Profile.
- Enter a name, select ACP, and click Create & Close.
- Double-click to open the profile.
- Click Add Entry.
- Scroll down, select tecad_snmp, and click Select & Close.
- Select Environment.
- Double-click on ServerPort in the left-hand pane. Enter the desired Tivoli Enterprise Console port number (usually 5529 for NT Tivoli Enterprise Console Server, or 0 for a UNIX(R) Tivoli Enterprise Console Server), and click the checkmark button to accept the change. The entry will display in the right-hand pane.
- Select Distribution.
- The .cds file and .oid file should be changed to include the AM traps. There are two choices:
- Support both ITCAM for WebSphere traps and standard traps. You must manually append the Tivoli(R) supplied files with the ITCAM for WebSphere files. They are ASCII, so use your favorite editor and/or command line tools. Then follow the directions below.
- Replace with the ITCAM for WebSphere files, to only support ITCAM for WebSphere traps. Follow the directions as listed below.
- Double-click on the tecad_snmp.cds entry.
- Click on the Browse button associated with the right-hand pathname.
- Browse to the location of am.cds. Select the file, and click Set & Close.
- Click the checkmark button to accept the change, as shown in the lower pane.
- Repeat the steps to change the right-hand value of tecad_snmp.oid to point to am.oid.
- Click Save & Close.
- Close the profile.
- Distribute the profile (ex. drag the profile on top of the endpoint.) The main window of the desktop shows a log of actions.
- The adapter is configured, distributed, and running.
The Agent Connection for TUXEDO and M3 has the ability to translate TUXEDO system event notifications into SNMP trap notifications. These traps can be sent to the Tivoli Event Console (TEC) using the TEC SNMP Adapter. The TEC SNMP Adapter must be installed on the TUXEDO master node along with the Agent Connection, as illustrated in
Figure 3-4.
To integrate the Agent Connection with the Tivoli Event Console, do the following:
- Install the TEC SNMP Adapter.
The Tivoli Event Console SNMP Adapter needs to be installed - preferably on the TUXEDO master node.
- Configure the TEC SNMP Adapter.
The following is a suggested mapping of TUXEDO to Tivoli events. You may need to modify this mapping to meet your own requirements.
- To provide a class definition for TUXEDO events, copy the following lines from the file
bea2tiv.baroc
, provided with Agent Connection, to the filetecad_snmp.baroc
of the TEC SNMP Adapter.TEC_CLASS : Tux_Event ISA Specific_SNMP_Trap DEFINES { severity: default = WARNING; class: STRING; ulogcat: STRING; ulogmsgnum: INTEGER; }; END
- To provide a class description for TUXEDO events, copy the following lines from the file
bea2tiv.cds
, provided with Agent Connection, to the filetecad_snmp.cds
of the TEC SNMP Adapter:CLASS Tux_Event SELECT 1: ATTR(=, "tuxEventsName" ) ; 2: ATTR(=, "tuxEventsLmid" ) ; 3: ATTR(=, "tuxEventsTime" ) ; 4: ATTR(=, "tuxEventsDescription" ) ; 5: ATTR(=, "tuxEventsClass" ) ; 6: ATTR(=, "tuxEventsUlogCat" ) ; 7: ATTR(=, "tuxEventsUlogMsgNum" ) ; MAP source = "TUXEDO"; enterprise = "tuxedo"; sub_source = $V1; hostname = $V2; date = $V3; msg = $V4; class = $V5; ulogcat = $V6 ulogmsgnum = $V7; END
- To provide the OID definitions needed for TUXEDO events, copy the following lines from the file
bea2tiv.oid
, provided with Agent Connection, to the filetecad_snmp.oid
of the TEC SNMP Adapter:"tuxedo" "1.3.6.1.4.1.140" "tuxEventsName" "1.3.6.1.4.1.140.300.2.6.1" "tuxEventsSeverity" "1.3.6.1.4.1.140.300.2.6.2" "tuxEventsLmid" "1.3.6.1.4.1.140.300.2.6.3" "tuxEventsTime" "1.3.6.1.4.1.140.300.2.6.4" "tuxEventsUsec" "1.3.6.1.4.1.140.300.2.6.5" "tuxEventsDescription" "1.3.6.1.4.1.140.300.2.6.6" "tuxEventsClass" "1.3.6.1.4.1.140.300.2.6.7" "tuxEventsUlogCat" "1.3.6.1.4.1.140.300.2.6.8" "tuxEventsUlogMsgNum" "1.3.6.1.4.1.140.300.2.6.9"
Set up trap destination for BEA Manager. Ensure that the TRAP_HOST entry in the BEA Manager configuration file (
beamgr.conf
) points to the host where the Tivoli Event Console SNMP Adapter is running.
Start the TUXEDO or M3 SNMP agents. Refer to Chapter 2, "Setting Up the Agents," for more information.
Set up the Tivoli Event Server for TUXEDO events. Set up the rules on the Tivoli management system that are to be applied to incoming TUXEDO system events. This is essentially the same process as described in Step 4 under "Integrating M3 and TUXEDO Event Notifications."
Set up the Tivoli Event Console for display of TUXEDO events. You may need to configure the Tivoli management system to select which TUXEDO events to display and how they should be displayed.
Distributed Monitoring of TUXEDO or M3 Applications
Tivoli has the ability to distribute polling or data collecting to distributed Tivoli agents. The following steps are an example of how to implement distributed monitoring of TUXEDO or M3 MIB objects on the Tivoli platform:
- Create a new monitor that specifies the object you want to monitor.
The Profiles Property window lists the monitors which you have configured to do threshold-checking. Select Add Monitor from the Profile Properties window.
- Select the
UserSNMP
monitoring collection, as shown in Figure 3-5.Figure 3-5 Adding a New Monitor to a Tivoli Profile
You can define the frequency of polling, the SNMP community, and the object that you wish to monitor. The object must be specified using the absolute object identifier (OID). In the example we have used .1.3.6.1.4.1.140.305.1.6.0, which is the OID for
beaDomainStatus
. In this case we are setting up a monitor to check whether a TUXEDO domain is active.In the case of columnar objects, you need to know which instance to monitor. For information on how to specify an instance using an object identifier, refer to the "Polling" chapter in the Agent Integrator Reference Manual.
- Define the polling threshold and the desired response.
Select Add Empty to invoke the Monitor window. This allows you to specify the polling threshold, and other properties of the monitor, such as the severity of the Tivoli event that is generated when the threshold is crossed. In Figure 3-6, we specify a threshold of
Not equal to 1
because we want to know when the domain is not active.Figure 3-6 Defining a Polling Threshold
- Distribute the monitor to the Tivoli agents.
Once you have defined a monitor that specifies the polling interval and condition being checked, you can deploy this monitoring profile to the Tivoli agents for distributed monitoring. Consult the Tivoli documentation for further information.
Google matched content |
IBM Tivoli Enterprise Console Adapters Guide, SC32-1242 Provides information about supported adapters, including how to install and configure these adapters.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019