Sending SNMP traps using filters
As well as being able to execute scripts whenever filter
matches are made, EELS can also send
Simple Network Management Protocol (SNMP)
traps. The mechanism works in the same way as for the
execute-script parameter block. In the send-trap
parameter block you specify the type of trap to send
and the filter rule that dictates when to send the trap.
NOTE:
For information on the execute-script
parameter block, see
``Executing scripts using filters''.
Using this feature, you could configure
EELS to send an ``Authentication failure trap''
whenever a failed attempt to telnet into your system is
made:
-
Log in as root.
-
Add the following lines to the bottom of
/etc/default/eels:
send-trap trap_auth_fail {
count 3;
interval 10;
trap-type 4;
community public;
hostname localhost;
filter auth_fail_filter;
}
filter auth_fail_filter {
include "LogSystemsSource ~ 'syslog' && EventNumber == '27'";
}
NOTE:
The send-trap block specifies that trap type 4 from the
``public'' community should be sent to localhost
three times at intervals of ten seconds whenever the conditions
in the filter block ``auth_fail_filter''
are satisfied. The filter block specifies that the field
``LogSystemsSource'' must contain the string
``syslog'' and ``EventNumber'' must equal ``27''
before the trap can be sent.
-
Save /etc/default/eels.
-
Start
trap_rece(1Msnmp)
by entering the following command:
trap_rece
-
In a new window, stop and restart EELS by
entering the following command:
/etc/init.d/eelsrc restart
The changes are now active and if a telnet session
is aborted before a successful login is made on your system, a
SNMP trap is sent to the localhost and
is displayed in the window in which trap_rece
is active. To test this:
-
Log in as root.
-
Use telnet to connect to the localhost,
that is:
telnet localhost
-
Enter a username you know will not exist on your system, such as llkkjj
and a random password such as 1234.
-
Press <Ctrl>D to exit the telnet session. Doing this generates
the log entry you need to trigger the sending of the trap.
A message similar to the one shown below is displayed in the
trap_rece window.
Community: public.
Enterprise: unixWare.2.
Agent-addr: 192.168.24.64
Authentication failure trap.
Time ticks: 0.
Name: iso.1.1.1
Type: NULL
Value: NULL
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004