Bernd, Have you imported the Checkpoint Management MIBs into Spectrum? These will describe the layout and contents of the traps, and allow you to map traps to Spectrum events, which you can turn into alarms. Checkpoint's support should be able to provide this to you.
-DTK On Tue, Oct 11, 2011 at 7:18 AM, <[email protected]> wrote: > Dear all, > > our Checkpoint Management platform is configured to send traps to spectrum. > Unfortunately the traps are somewhat cryptic. The event messages reads like > that : > > Unknown alert received from device ckpt-sc-ek1 of type Host_Device. Device > Time 2+08:35:01. (Trap type 1.3.6.1.4.1.2620.1.1.6.0) > > Trap var bind data: > > OID: 1.3.6.1.4.1.2620.1.1.11.0 Value: > > 31.31.4F.63.74.32.30.31.31.20.20.39.3A.31.31.3A.34.37.20.20.20.20.20.20.20.20.63.6B.70.74.2D.73.63.2D.65.6B.31.20.3C.20.20.20.20.73.6E.6D.70.74.72.61.70.20.53.79.73.74.65.6D.20.41.6C.65.72.74.20.6D.65.73.73.61.67.65.3A.20.41.20.46.69.72.65.77.61.6C.6C.20.50.6F.6C.69.63.79.20.68.61.73.20.62.65.65.6E.20.73.75.63.63.65.73.73.66.75.6C.6C.79.20.69.6E.73.74.61.6C.6C.65.64.20.6F.6E.20.68.67.2D.66.77.32.2D.64.32.30.2D.6E.65.75.3B.20.4F.62.6A.65.63.74.3A.20.68.67.2D.66.77.32.2D.64.32.30.2D.6E.65.75.3B.20.45.76.65.6E.74.3A.20.43.68.61.6E.67.65.3B.20.50.61.72.61.6D.65.74.65.72.3A.20.70.6F.6C.69.63.79.5F.74.69.6D.65.3B.20.43.6F.6E.64.69.74.69.6F.6E.3A.20.63.68.61.6E.67.65.73.20.54.68.75.20.53.65.70.20.32.32.20.31.34.3A.34.36.3A.30.35.20.32.30.31.31.3B.20.43.75.72.72.65.6E.74.20.76.61.6C.75.65.3A.20.54.75.65.20.4F.63.74.20.31.31.20.30.38.3A.31.30.3A.35.37.20.32.30.31.31.3B.20.70.72.6F.64.75.63.74.3A.20.53.79.73.74.65.6D.20.4D.6F.6E.69.74.6F.72.3B.A > > OK, the "Value" seems to be Hex Code which needs to be translated into > ASCII, which results to > "131Oct2011 9:11:47 ckpt-sc-ek1 < snmptrap System Alert message: > A Firewall Policy has been successfully installed on hg-fw2-d20-neu; Object: > hg-fw2-d20-neu; Event: Change; Parameter: policy_time; Condition: changes > Thu Sep 22 14:46:05 2011; Current value: Tue Oct 11 08:10:57 2011; product: > System Monitor;%A" > > What needs to be done to convert that into a Spectrum Alarm ? > > The mail below (7 years old !) is the only thing I found about that > problem, but I never heared about a solution. > > Any ideas are welcome. > > Best regards, > > Bernd > > Von: <[email protected]> An: "spectrum" <[email protected]> > Datum: 15.12.2004 12:53 Betreff: [spectrum] Alertmap REGEX Syntax > ------------------------------ > > > > Hi, > We have a bunch of Checkpoint firewalls which snmptraps events thru a > management station. As you can see in the message inserted below, all data > comes semicolon separated under one OID. This makes my life more > complicated. It is also nice, that the little sucker sometimes put more than > one event into same trap (as you can see in the event) > > -------------------------------------------------------------------------- > Date/Time: Tue 14 Dec 2004 10:17:14 > Model Name: test > Model Type: Pingable > Event Code: 0x00010801 > User Name: > Event Message: Unknown alert received from device test of type > Pingable. Device Time . (Trap type > 1.3.6.1.4.1.2620.1.1.6.0 OID: > 1.3.6.1.4.1.2620.1.1.11.0 Value: 14Dec2004 > 10:17:11 129.178.2.38 < snmptrap product: System > Monitor; System Alert message: A FireWall-1 > Policy has been successfully installed on > fwri002-new; Object: 192.168.159.10; Event: > Change; Parameter: FireWall-1 Policy install > time; Condition: changes ; Current value: Tue > Dec 14 10:17:05 2004; 14Dec2004 10:17:11 > 129.178.2.38 < snmptrap product: System Monitor; > System Alert message: A FireWall-1 Policy has > been successfully installed on fwgr002-new; > Object: 192.168.159.11; Event: Change; > Parameter: FireWall-1 Policy install time; > Condition: changes ; Current value: Tue Dec 14 > 10:13:37 2004; > -------------------------------------------------------------------------- > > Now, I know I can handle this using Alertmap REGEXP features, to search for > patterns. Here are 6 patterns I need to find in the datafield. Maybe someone > of you Spectrumers know the regex Alertmap syntax for it. > > If data contain: > > "Event: Exception" and "disconnected" = Critical > "Event: Exception" and "Not installed" = Critical > "Event: Exception" and "more than" = Critical > "Event: Exception" and "less than" = Critical > "Event: Change" and "FireWall-1 Policy install time" = Warning > "Event: Change" and "FireWal-1 Policy name" = Warning > > Anyone? Or do I have to drag myself thru the manual (again ;) > > \Roberth > > ----------------------------------------------------------------------- > Roberth Edberg > System Architect & Spectrum Specialist > SEB IT Service Web: *http://www.seb.se*<http://www.seb.se/> > Systems Management E-mail: [email protected] > Rissneleden 110 Voice: +46 8 639 30 42 > SE-106 40 Stockholm Mobile: +46 70 509 30 42 > SWEDEN Fax: +46 8 706 60 25 > ----------------------------------------------------------------------- > > - "Did you know that the first Matrix was designed to be a perfect > human world, where none suffered; where everyone would be happy. > It was a disaster. No one would accept the program. Entire crops > were lost. Some believed that we lacked the programming language > to describe your perfect world, but I believe that as a species, > human beings define their reality through misery and suffering. > So the perfect world we dreamed, but your primitive cerebrum kept > trying to wake up from Which is why The Matrix was redesigned to > this...the peak of your civilization." > / Agent Smith {The Matrix} > > --- > To unsubscribe from spectrum, send email to [email protected] with the > body: unsubscribe spectrum [email protected] > > > - --To unsubscribe from spectrum, send email to [email protected] with > the body: unsubscribe spectrum [email protected] > > -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? --- To unsubscribe from spectrum, send email to [email protected] with the body: unsubscribe spectrum [email protected]
