NetXMS Support Forum

I have configured the Cisco ASA firewall to send Syslog messages over the SNMP traps to NetXMS.

In NetXMS I receive the trap correctly as per below,
21.02.2013 18:28:16 10.10.10.1 CISCO-ASA-FW-01 .1.3.6.1.4.1.9.9.41.2.0.1 .1.3.6.1.4.1.9.9.41.1.2.3.1.2.0 == '20'; .1.3.6.1.4.1.9.9.41.1.2.3.1.3.0 == '2'; .1.3.6.1.4.1.9.9.41.1.2.3.1.4.0 == 'Syslog Trap'; .1.3.6.1.4.1.9.9.41.1.2.3.1.5.0 == '<161>Feb 21 2013 21:05:30 APDC3W12-NFWL02 : %ASA-1-104001: (Secondary) Switching to ACTIVE - HELLO not heard from mate.'; .1.3.6.1.4.1.9.9.41.1.2.3.1.6.0 == '4089190800'

For this trap I created a SNMP Trap Mapping with Trap OID as .1.3.6.1.4.1.9.9.41.2.0.1 and the parameter OID as varbind .1.3.6.1.4.1.9.9.41.1.2.3.1.5.0. And also created an Event ASA_FAILOVER for this trap mapping by using %2 which gives me the value of same varbind .1.3.6.1.4.1.9.9.41.1.2.3.1.5.0.

Now in the events I get the message "<161>Feb 21 2013 21:05:30 APDC3W12-NFWL02 : %ASA-1-104001: (Secondary) Switching to ACTIVE - HELLO not heard from mate." But this happens with any other Syslog message being sent by Cisco ASA FW. Because we are using the varbind .1.3.6.1.4.1.9.9.41.1.2.3.1.5.0 which hold the Syslog message string from the SNMP Trap.

So is there any way so that NetXMS will only trigger the event ASA_FAILOVER when the varbind value is having the string "Switching to ACTIVE"

Thanks in advance.

Vishal Babrekar

Hi!

There are few possible options. Option 1 is following:

1. Create additional event, ASA_SYSLOG_MESSAGE for example, and put varbind .1.3.6.1.4.1.9.9.41.1.2.3.1.5.0 into parameter #2, as you have done already with ASA_FAILOVER event.
2. Create script in script library, which will post ASA_FAILOVER event if it got ASA_SYSLOG_MESSAGE with "Switching to ACTIVE" text:


if ($event->parameters[2] match ".*Switching to ACTIVE.*")
{
   PostEvent($node, "ASA_FAILOVER", null, $event->parameters[2]);
}


3. Create new action of type "execute NXSL script", and specify name of the script you just craeted
4. Add rule to event processing policy, which will execute action created on step 3 for ASA_SYSLOG_MESSAGE event.

That's it - you will have ASA_FAILOVER events for each syslog message trap with "Switching to ACTIVE" text in it. Please note that in my script text will be passed to ASA_FAILOVER event as parameter #1.

If you don't want ASA_SYSLOG_MESSAGE events to clutter event log, you can uncheck "Write to log" option in event's configuration.


Alternative approach could be to not use SNMP traps for this, but feed syslog records from ASA directly to NetXMS server (using syslog protocol), and create a parser for incoming syslog records.

Best regards,
Victor

Thanks a lot Victor this one worked very well !!

Only issue I faced was the event tag was not accepting as "null" so I marked it as "ASA-STATE-CHANGE".

Thanks again for your help.
Vishal Babrekar