Event configuration Varbindsdecode

Problem:
I noticed that in all of the event config files (/opt/opennms/events/) if the files contain varbindsdecode sections, they are being ignored. I don’t see anything in the documentation about varbindsdecoding anymore, just on the old Wiki page.

One in particular that I’ve been working on is the Cisco.events.xml

I modified the uei.opennms.org/vendor/Cisco/traps/ciscoConfigManEvent as follows: (all the rest of the file is the default.

<uei>uei.opennms.org/vendor/Cisco/traps/ciscoConfigManEvent</uei>
      <event-label>CISCO-CONFIG-MAN-MIB defined trap event: ciscoConfigManEvent</event-label>
      <descr>&lt;p>Notification of a configuration management event as
      recorded in ccmHistoryEventTable.&lt;/p>&lt;table>
      &lt;tr>&lt;td>&lt;b>
      ccmHistoryEventCommandSource&lt;/b>&lt;/td>&lt;td>%parm[#1]%
      &lt;/td>&lt;td>&lt;p;>
      commandLine(1) snmp(2)&lt;/p>
      &lt;/td;>&lt;/tr>&lt;tr>&lt;td>&lt;b>
      ccmHistoryEventConfigSource&lt;/b>&lt;/td>&lt;td>%parm[#2]%
      &lt;/td>&lt;td>&lt;p;>
      erase(1) commandSource(2) running(3) startup(4) local(5) networkTftp(6) networkRcp(7)&lt;/p>
      &lt;/td;>&lt;/tr>&lt;tr>&lt;td>&lt;b>
      ccmHistoryEventConfigDestination&lt;/b>&lt;/td>&lt;td>%parm[#3]%
      &lt;/td>&lt;td>&lt;p;>
      erase(1) commandSource(2) running(3) startup(4) local(5) networkTftp(6) networkRcp(7)&lt;/p>
      &lt;/td;>&lt;/tr>&lt;tr>&lt;td>&lt;b>
      ccmHistoryEventTerminalUser&lt;/b>&lt;/td>&lt;td>%parm[#4]%
      &lt;/td>&lt;td>&lt;p>&lt;/p>&lt;/td>&lt;/tr>&lt;/table></descr>
      <logmsg dest="logndisplay">&lt;p>A %parm[#1]% Configuration Management event has occurred by user: %parm[#4]% with a source of %parm[#2]% and a destination of %parm[#3]%.&lt;/p></logmsg>
      <severity>Warning</severity>
      <varbindsdecode>
         <parmid>parm[#1]</parmid>
         <decode varbindvalue="1" varbinddecodedstring="commandLine"/>
         <decode varbindvalue="2" varbinddecodedstring="snmp"/>
      </varbindsdecode>
      <varbindsdecode>
         <parmid>parm[#2]</parmid>
         <decode varbindvalue="1" varbinddecodedstring="erase"/>
         <decode varbindvalue="2" varbinddecodedstring="commandSource"/>
         <decode varbindvalue="3" varbinddecodedstring="running"/>
         <decode varbindvalue="4" varbinddecodedstring="startup"/>
         <decode varbindvalue="5" varbinddecodedstring="local"/>
         <decode varbindvalue="6" varbinddecodedstring="networkTftp"/>
         <decode varbindvalue="7" varbinddecodedstring="networkRcp"/>
         <decode varbindvalue="8" varbinddecodedstring="networkFtp"/>
         <decode varbindvalue="9" varbinddecodedstring="networkScp"/>
      </varbindsdecode>
      <varbindsdecode>
         <parmid>parm[#3]</parmid>
         <decode varbindvalue="1" varbinddecodedstring="erase"/>
         <decode varbindvalue="2" varbinddecodedstring="commandSource"/>
         <decode varbindvalue="3" varbinddecodedstring="running"/>
         <decode varbindvalue="4" varbinddecodedstring="startup"/>
         <decode varbindvalue="5" varbinddecodedstring="local"/>
         <decode varbindvalue="6" varbinddecodedstring="networkTftp"/>
         <decode varbindvalue="7" varbinddecodedstring="networkRcp"/>
         <decode varbindvalue="8" varbinddecodedstring="networkFtp"/>
         <decode varbindvalue="9" varbinddecodedstring="networkScp"/>
      </varbindsdecode>
  </event>

What I’m getting is this

Expected outcome:

I would expect the log message to be as follows:

A commandLine Configuration Management event has occurred by user: admin with a source of running and a destination of commandSource.

OpenNMS version:

27.2.0 (It has done this before I was on this version)

Other relevant data:
trapd.log

2021-06-04 14:09:46,233 DEBUG [DefaultUDPTransportMapping_0.0.0.0/162] o.s.Snmp: Fire process PDU event: CommandResponderEvent[securityModel=2, securityLevel=1, maxSizeResponsePDU=65535, pduHandle=PduHandle[209424], stateReference=StateReference[msgID=0,pduHandle=PduHandle[209424],securityEngineID=null,securityModel=null,securityName=public,securityLevel=1,contextEngineID=null,contextName=null,retryMsgIDs=null], pdu=TRAP[requestID=209424, errorStatus=Success(0), errorIndex=0, VBS[1.3.6.1.2.1.1.3.0 = 350 days, 5:47:17.35; 1.3.6.1.6.3.1.1.4.1.0 = 1.3.6.1.4.1.9.9.43.2.0.1; 1.3.6.1.4.1.9.9.43.1.1.6.1.3.2353 = 1; 1.3.6.1.4.1.9.9.43.1.1.6.1.4.2353 = 3; 1.3.6.1.4.1.9.9.43.1.1.6.1.5.2353 = 2; 1.3.6.1.4.1.9.9.43.1.1.6.1.8.2353 = admin]], messageProcessingModel=1, securityName=public, processed=false, peerAddress=X.X.X.X/51987, transportMapping=org.snmp4j.transport.DefaultUdpTransportMapping@6b03182a, tmStateReference=null]
2021-06-04 14:09:46,233 DEBUG [DefaultUDPTransportMapping_0.0.0.0/162] o.o.n.s.s.Snmp4JTrapNotifier: V2 TRAP numVars or pdu length: 6
2021-06-04 14:09:46,233 DEBUG [OpenNMS.Sink.AsyncDispatcher.Trap-Thread-3] o.o.n.s.s.Snmp4JTrapNotifier: V2 TRAP first varbind value: 350 days, 5:47:17.35
2021-06-04 14:09:46,233 DEBUG [OpenNMS.Sink.AsyncDispatcher.Trap-Thread-3] o.o.n.s.s.Snmp4JTrapNotifier: V2 TRAP first varbind value is of type TIMETICKS (correct)
2021-06-04 14:09:46,233 DEBUG [OpenNMS.Sink.AsyncDispatcher.Trap-Thread-3] o.o.n.s.TrapIdentity: snmpTrapOID: .1.3.6.1.4.1.9.9.43.2.0.1
2021-06-04 14:09:46,233 DEBUG [OpenNMS.Sink.AsyncDispatcher.Trap-Thread-3] o.o.n.s.s.Snmp4JTrapNotifier: Skipping processing of varbind 0: it is sysuptime and the first varbind, and is not processed as a parm per RFC2089
2021-06-04 14:09:46,233 DEBUG [OpenNMS.Sink.AsyncDispatcher.Trap-Thread-3] o.o.n.s.s.Snmp4JTrapNotifier: Skipping processing of varbind 1: it is the trap OID and the second varbind, and is not processed as a parm per RFC2089
2021-06-04 14:09:46,756 DEBUG [AggregatorFlush-Trap] o.o.n.t.EventCreator: v2 trap - trapInterface: /X.X.X.X
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.t.EventCreator: Trap Identity TrapIdentityDTO{Generic=6, Specific=1, EnterpriseId=.1.3.6.1.4.1.9.9.43.2}

eventd.log

2021-06-04 14:09:46,757 INFO  [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl: Received event: UEI=uei.opennms.org/vendor/Cisco/traps/ciscoConfigManEvent, src=trapd, iface=X.X.X.X, svc=null, time=2021-06-04T14:09:46.233-0400, parms=[.1.3.6.1.4.1.9.9.43.1.1.6.1.3.2353=1, .1.3.6.1.4.1.9.9.43.1.1.6.1.4.2353=3, .1.3.6.1.4.1.9.9.43.1.1.6.1.5.2353=2, .1.3.6.1.4.1.9.9.43.1.1.6.1.8.2353=admin]
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl: Event {
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:   uuid  = <not-set>
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:   uei   = uei.opennms.org/vendor/Cisco/traps/ciscoConfigManEvent
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:   src   = trapd
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:   iface = X.X.X.X
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:   svc   = null
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:   time  = 2021-06-04T14:09:46.233-0400
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:   parms {
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:     (.1.3.6.1.4.1.9.9.43.1.1.6.1.3.2353, 1)
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:     (.1.3.6.1.4.1.9.9.43.1.1.6.1.4.2353, 3)
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:     (.1.3.6.1.4.1.9.9.43.1.1.6.1.5.2353, 2)
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:     (.1.3.6.1.4.1.9.9.43.1.1.6.1.8.2353, admin)
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl:   }
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.DefaultEventHandlerImpl: }
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.p.e.ExpandableParameter: Value of token parm[#1]=1
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.p.e.ExpandableParameter: Value of token parm[#2]=3
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.p.e.ExpandableParameter: Value of token parm[#3]=2
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.p.e.ExpandableParameter: Value of token parm[#4]=admin
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.p.e.ExpandableParameter: Value of token parm[#1]=1
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.p.e.ExpandableParameter: Value of token parm[#4]=admin
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.p.e.ExpandableParameter: Value of token parm[#2]=3
2021-06-04 14:09:46,757 DEBUG [AggregatorFlush-Trap] o.o.n.e.p.e.ExpandableParameter: Value of token parm[#3]=2
2021-06-04 14:09:46,758 DEBUG [AggregatorFlush-Trap] o.o.n.e.p.HibernateEventWriter: HibernateEventWriter: processing uei.opennms.org/vendor/Cisco/traps/ciscoConfigManEvent, nodeid: 234, ipaddr: X.X.X.X, serviceid: null, time: 2021-06-04T14:09:46.233-0400

Thank you!

Appending the varbind value in parens to the decoded value is a feature of varbindsdecode. It appears to be working as designed?

How I have the varbindsdecode set should change my log message in the webUI from what it is now.

A commandLine(1) Configuration Management event has occurred by user: oxidized with a source of running(3) and a destination of commandSource(2).

to this

A commandLine Configuration Management event has occurred by user: admin with a source of running and a destination of commandSource.

Not a huge change but it should be removing the parentheses and digit inside of them.

essentially the way it’s working right now it appears to be not using the varbindsdecode and just giving me the original parm[#] value.

The way I would expect it to work is that

  <varbindsdecode>
         <parmid>parm[#1]</parmid>
         <decode varbindvalue="1" varbinddecodedstring="commandLine"/>
         <decode varbindvalue="2" varbinddecodedstring="snmp"/>
      </varbindsdecode>

would change parm[#1] from commandLine(1) to commandLine

I could be way off on what I’m expecting this to do but I followed this https://wiki.opennms.org/wiki/Trap_Configuration_How-To#Decoding_varbinds_.28OpenNMS_1.7.0_and_beyond.29
which I know is very old but it’s all I could find as far a documentation about varbindsdecoder but if I understand the last example of that document correctly, this should be able to do what I’m asking it too. Right?

If you’ve got <decode varbindvalue="1" varbinddecodedstring="something"/> the resulting parm in the output for value 1 is always going to be literal something(1) as far as I am aware, and the only way to remove the (1) is by altering the code for the varbindsdecode parm expansion.

Ahh ok, I gotcha! On Monday I will try changing the varbinddecodedstring to something different then the exact same thing and retest.

Thank you for the quick response! It’s much appreciated. I’ll let you know what happens either way.

Happy to help! :slight_smile: Let me know how it works out.

You are correct. I changed it this morning to test and no matter what I put as the varbindsdecoder it shows as the varbindsdecoder string but still shows the parentheses with the number in it. So it is working as you described, just not how that old documentation says it should.

Thank you for you help and quick response!

1 Like