The program is able to listen for Version 1 and 2c SNMP traps. The traps can then be decoded and then handled like a regular syslog message.
Listen for SNMP traps:
By default this option is disabled. Check the box to enable listening for SNMP traps.
This is the UDP port to listen on for SNMP traps. Normally traps are sent to port 162. A value between 1 and 65535 can be entered. If you choose a value other than 162, make sure the device sending the trap is also sending to the specified port.
This option allows you to choose which SNMP fields are decoded and added to the incoming message. Check the box next to the field that you want enabled. You can change the order in which the message is decoded by clicking and dragging on the field name.
This is like a password that is included in the trap message. Normally this value is set to values such as "public", "private" or "monitor"
This is a dotted numerical value (22.214.171.124.x.x.x.x) that represents the MIB enterprise of the SNMP trap. This field only applies for version 1 traps. Version 2 traps have the Enterprise value bound as the second variable in the message.
This is a value that represents the system uptime of the device sending the message. The value is in time ticks. The value resets to 0 when the device restarts. A low value would indicate that the device has been warm or cold started recently. This field only applies to version 1 traps. Version 2 traps have the system uptime value bound as the first variable in the message.
This represents the IP address of the sending device.
This check box represents two trap type fields. Generic Type and Specific Type. These fields only applies for version 1 traps. There are 6 defined Generic Type traps. If the Generic Type is set to 6 it indicates an Enterprise type trap. In this case the Specific Trap value needs to be considered.
This field indicates the version of the received trap. The program currently supports version 1 and 2c.
This field is made up of all the bound variables. Some traps may include more than a single variable binding. If the variable is a Octet String type, then it will be visible as plain text. Some variables represent counters or integer values. In this case, it is advisable to check the value against the MIB syntax for further explanation.
Syslog priority to use:
Each SNMP message that is received is converted internally into a standard syslog message. This allows you to filter the message like a standard syslog message. Because SNMP traps don't have a message facility and level, a default value must be applied. You can then use this value in the rule engine. For example, you might like to set all traps to be tagged as Local0.Debug. You can then create a priority filter to catch that facility and level and perform a specified action.
SNMP field tagging:
This drop down list allows you to specify how the decoded fields are converted into a message. By default, the "fieldname=value" option is used. This allows for easy parsing of the logs later. Other options are XML, comma delimited or delimited by .
Here is an example of a message tagged with the fieldname=value option.
community=public enterprise=126.96.36.199.188.8.131.52 enterprise_mib_name=sysDescr uptime=15161 agent_ip=192.168.0.1 generic_num=6 specific_num=0 version=Ver1 generic_name="Enterprise specific" var_count=01 var01_oid=184.108.40.206.220.127.116.11 var01_value="This is a test message from Kiwi Syslog Daemon" var01_mib_name=sysDescr
Note the values are only contained in quotes ("") if they contain a space.
Use LinkSys Display filter:
The LinkSys Display filter simply removes all PPP messages from being displayed. The PPP messages are still logged to file as normal.
This feature is only useful if you are logging from a LinkSys network device.
Perform MIB lookups:
This feature has been added to version 7.0.3 and will continue to be developed in future versions. A well known list of object ID values and their text names have been included in a database that is included with the program. This will handle the most common traps from Cisco, 3Com, Allied Telesyn, SonicWall, Nokia, Checkpoint, BreezeCom, Nortel and SNMP MIB-II.
The MIB database file is located in the InstallPath\MIBs folder in a file named: KiwiMIBDB.kmf
This database is a compressed text file which has been compiled from over 35,000 MIB tree entries. Since most MIB files only contain less than 5% of usable trap information, this pre-compiled method saves a huge amount of lookup time, disk space and hash table memory over using a standard MIB compiler/parser.
If you would like to add additional MIB lookup values, we are very happy to add them for you. Please send your zipped MIB files to firstname.lastname@example.org. We will compile a new database file for you and send you the update. Please also include your Unknown_OID_list.txt file so we can ensure all the OIDs are referenced.
When creating the MIB database, all the traps, notifications and referenced variables are parsed from the MIB files. Sometimes an object may not be referenced correctly and therefore won't be added. In this case, all we need to know is the OID value and we can ensure that it is included. See the next section for more information.
Log failed lookups to debug file:
If an OID value is unable to be located in the database, if you have the "log failed lookups" option checked, the OID value will be logged to a debug file. The file is located in InstallPath\MIBs and is named: Unknown_OID_list.txt. This file can be zipped up and sent to email@example.com so we can ensure that the next release of the database has these values listed.
Show additional OID suffix info:
Sometimes a device will send additional information encoded after the main OID number. This information can include things like the interface index, source and destination addresses and port numbers etc. As from version 7.1.3 this information can be shown as a suffix to the MIB name.
For example, a Cisco switch might send a "Link up" trap containing the variable: 18.104.22.168.22.214.171.124.1.2.3.
The last "3" of the OID refers to the interface index. The rest of the OID can be resolved to the MIB name of "ifDescr".
If the "Show additional OID suffix info" option is checked, then the MIB name displayed will contain the extra ".3" information. For example: ifDescr.3=SlowEthernet0/3. With the option unchecked, the display will look like: ifDescr=SlowEthernet0/3.