SNMP Traps generated from resources behind NAT router appear with Public IP address under Hostname Column in Event Console

Article:TECH176832  |  Created: 2011-12-13  |  Updated: 2011-12-13  |  Article URL http://www.symantec.com/docs/TECH176832
Article Type
Technical Solution

Issue



This issue pertains to resources that reside behind a NAT router that are configured to generate SNMP Traps with Trap Destination of the SMP\Event Console’s IP address.   When the resources generate a Trap, the Trap is sent to the Event Receiver and Event Engine and is then processed into the Event Console as an Alert. The problem is that ALL SNMP based Alerts will appear with the same Public IP Address and not the unique physical IP Address of the resource that actually generated the SNMP Trap.


Environment



Symantec Management Platform 7.x

Event Console 7.x


Cause



 

 
The physical Host IP Address is in the PDU of the SNMP Trap. The Event Engine is not parsing this part of the packet to obtain the Host's IP Address information.

Solution



A workaround would be to use an Event Console based Task Rule that would leverage a SQL based task to do the following: 

1) Select a record in ec_alert_variable with name 'SNMP::Varbinds' for the particular alert. We can then parse this variable data. (Variable data is in xml format.)

2) We can determine host name

3)  Execute following sql updates:    update ec_alert set hostname='ABCD' where guid='%!ALERTGUID!%';    update ec_alert_pooled set hostname='ABCD' where guid='%!ALERTGUID!%';    (where 'ABCD' -is required host name.)

This will change host column data in event console grid and in alert details page to reflect physical IP Address.

 




Article URL http://www.symantec.com/docs/TECH176832


Terms of use for this information are found in Legal Notices