#!/usr/bin/perl ################################################################################## # Pandora Server. SNMP Console ################################################################################## # Copyright (c) 2004-2006 Sancho Lerena, slerena@gmail.com # Copyright (c) 2005-2006 Artica Soluciones Tecnol�icas S.L # #This program is free software; you can redistribute it and/or #modify it under the terms of the GNU General Public License #as published by the Free Software Foundation; either version 2 #of the License, or (at your option) any later version. #This program is distributed in the hope that it will be useful, #but WITHOUT ANY WARRANTY; without even the implied warranty of #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #GNU General Public License for more details. #You should have received a copy of the GNU General Public License #along with this program; if not, write to the Free Software #Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ################################################################################## # Includes list use strict; use warnings; use Date::Manip; # Needed to manipulate DateTime formats of input, output and compare use Time::Local; # DateTime basic manipulation use Time::HiRes; # For high precission timedate functions (Net::Ping) # Pandora Modules use pandora_config; use pandora_tools; use pandora_db; # FLUSH in each IO (only for debug, very slooow) # ENABLED in DEBUGMODE # DISABLE FOR PRODUCTION $| = 1; my %pa_config; # Inicio del bucle principal de programa pandora_init(\%pa_config,"Pandora SNMP Console"); # Read config file for Global variables pandora_loadconfig (\%pa_config,2); # Audit server starting pandora_audit (\%pa_config, "Pandora Server SNMP Console Daemon starting", "SYSTEM", "System"); # Daemonize of configured if ( $pa_config{"daemon"} eq "1" ) { print " [*] Backgrounding...\n"; &daemonize; } pandora_snmptrapd (\%pa_config); ################################################################################# ## SUB pandora_snmptrapd ## Pandora SNMP Trap console/daemon subsystem ################################################################################## sub pandora_snmptrapd { my $pa_config = $_[0]; my $snmp_logfile = $pa_config->{'pandora_path'}."/log/snmptrapd.log"; my $logfile_size; # Size of logfile, use for calculating index file my @array; my $datos; my $timestamp; my $source; my $oid; my $type; my $type_desc; my $value; my $custom_oid; my $custom_type; my $custom_value; my $sql_insert; my @index_data; if ( ! -e $snmp_logfile) { # Wait until a snmplogfile exists sleep 5; } open (SNMPLOGFILE, $snmp_logfile); print " [*] SNMP Console enabled \n"; $index_data[0]=0; $index_data[1]=0; # Check for index file if ( -e $snmp_logfile.".index" ){ open SNMPLOGFILE_INDEX, $snmp_logfile.".index"; $datos = ; close SNMPLOGFILE_INDEX; @index_data = split(/\s+/,$datos); # $index_data[0] is the last line readed # $index_data[1] is the size of file (use for calculate new files or reset logfiles } $logfile_size = (stat($snmp_logfile))[7]; if ($logfile_size < $index_data[1]){ # El tama? del log es ahora mas peq. que la ultima vez que lo leimos -> es uno nuevo unlink ($snmp_logfile.".index"); $index_data[0]=0; $index_data[1]=0; logger ($pa_config,"New SNMP logfile detected, resetting index",1); } if (($index_data[1] <= $logfile_size) && ($index_data[0] > 0)){ # Skip already processed records for ($value=0;$value < $index_data[0];$value++){ $datos = readline SNMPLOGFILE; } } # open database, only ONCE. We pass reference to DBI handler ($dbh) to all subprocess my $dbh = DBI->connect("DBI:mysql:pandora:$pa_config->{'dbhost'}:3306",$pa_config->{'dbuser'}, $pa_config->{'dbpass'}, { RaiseError => 1, AutoCommit => 1 }); # Main loop for reading file while ( 1 ){ while ($datos = ) { $index_data[0]++; $index_data[1]=(stat($snmp_logfile))[7]; open SNMPLOGFILE_INDEX, ">".$snmp_logfile.".index"; print SNMPLOGFILE_INDEX $index_data[0]," ",$index_data[1]; close SNMPLOGFILE_INDEX; #print "DEBUG $datos \n"; if (($datos !~ m/NET-SNMP/) && ($datos =~ m/\[\*\*\]/)) { # SKIP Headers @array = split(/\[\*\*\]/, $datos); $timestamp = $array[0]." ".$array[1]; $source = $array[2]; $oid = $array[3]; $type = $array[4]; $type_desc = $array[5]; $value = limpia_cadena($array[6]); if ($type == 6){ # Custom OID type $datos = $array[7]; if ($datos !~ m/STRING/) { # No string datatype, marked with " chars $datos =~ m/([0-9\.]*)\s\=\s([A-Za-z0-9]*)\:\s(.+)/; $custom_oid = $1; $custom_type = $2; $custom_value = limpia_cadena($3); } else { # String type if ($datos =~ m/([0-9\.]*)\s\=\s([A-Za-z0-9]*)\:\s\"(.+)\"/){ $custom_oid = $1; $custom_type = $2; $custom_value = limpia_cadena($3); } } } else { # not custom OID type, deleting old values in these vars $custom_oid=""; $custom_type=""; $custom_value=""; } $sql_insert = "insert into ttrap (timestamp, source, oid, type, value, oid_custom, value_custom, type_custom) values ('$timestamp', '$source', '$oid', $type, '$value', '$custom_oid', '$custom_value', '$custom_type')"; logger ($pa_config,"Received SNMP Trap from $source",2); eval { $dbh->do($sql_insert) || logger ($pa_config, "Cannot write to database while updating SNMP Trap data (error in INSERT)",0); # Evaluate TRAP Alerts for this trap calcula_alerta_snmp($pa_config, $source,$oid,$custom_value,$timestamp,$dbh); }; if ($@) { logger ($pa_config, "[ERROR] Cannot access to database while updating SNMP Trap data",0); logger ($pa_config, "[ERROR] SQL Errorcode: $@",2); } } } sleep ($pa_config{'server_threshold'}); pandora_serverkeepaliver($pa_config,2,$dbh); } $dbh->disconnect(); } ################################################################################# ## SUB calcula_alerta_snmp($source,$oid,$custom_value,$timestamp); ## Given an SNMP Trap received with this data, execute Alert or not ################################################################################## sub calcula_alerta_snmp { # Parameters passed as arguments my $pa_config = $_[0]; my $trap_agente = $_[1]; my $trap_oid = $_[2]; my $trap_custom_value = $_[3]; my $timestamp = $_[4]; my $dbh = $_[5]; my $alert_fired = 0; my $query_idag = "select * from talert_snmp"; my $s_idag = $dbh->prepare($query_idag); $s_idag ->execute; my @data; # Read all alerts and apply to this incoming trap if ($s_idag->rows != 0) { while (@data = $s_idag->fetchrow_array()) { $alert_fired = 0; my $id_as = $data[0]; my $id_alert = $data[1]; my $field1 = $data[2]; my $field2 = $data[3]; my $field3 = $data[4]; my $description = $data[5]; my $alert_type = $data[6]; my $agent = $data[7]; my $custom_oid = $data[8]; my $oid = $data[9]; my $time_threshold = $data[10]; my $times_fired = $data[11]; my $last_fired = $data[12]; # The real fired alarms my $max_alerts = $data[13]; my $min_alerts = $data[14]; # The real triggered alarms (not really fired, only triggered) my $internal_counter = $data[15]; my $alert_data = ""; if ($alert_type == 0){ # type 0 is OID only if ( $trap_oid =~ m/$oid/i ){ $alert_fired = 1; $alert_data = "SNMP/OID:".$oid; logger ($pa_config,"SNMP Alert debug (OID) MATCHED",10); } } elsif ($alert_type == 1){ # type 1 is custom value logger ($pa_config,"SNMP Alert debug (Custom) $custom_oid / $trap_custom_value",10); if ( $trap_custom_value =~ m/$custom_oid/i ){ $alert_fired = 1; $alert_data = "SNMP/VALUE:".$custom_oid; logger ($pa_config,"SNMP Alert debug (Custom) MATCHED",10); } } else { # type 2 is agent IP if ($trap_agente =~ m/$agent/i ){ $alert_fired = 1; $alert_data = "SNMP/SOURCE:".$agent; logger ($pa_config,"SNMP Alert debug (SOURCE) MATCHED",10); } } if ($alert_fired == 1){ # Exists condition to fire alarm. # Comprobar que est?por debajo del rango de time_threshold my $fecha_ultima_alerta = ParseDate($last_fired); my $fecha_actual = ParseDate( $timestamp ); my $ahora_mysql = &UnixDate("today","%Y-%m-%d %H:%M:%S"); # If we need to update MYSQL last_fired will use $ahora_mysql my $err; my $flag; my $fecha_limite = DateCalc($fecha_ultima_alerta,"+ $time_threshold seconds",\$err); # Comprobar que est?por encima (sumando esta) del minimo de alertas # Comprobar que est?por debajo (sumando esta) del m?imo de alertas $flag = Date_Cmp($fecha_actual,$fecha_limite); if ( $flag >= 0 ) { # Out limits !, reset $times_fired, but do not write to # database until a real alarm was fired $times_fired = 0; $internal_counter=0; logger ($pa_config,"SNMP Alarm out of timethreshold limits",10); } # We are between limits marked by time_threshold or running a new time-alarm-interval # Caution: MIN Limit is related to triggered (in time-threshold limit) alerts # but MAX limit is related to executed alerts, not only triggered. Because an alarm to be # executed could be triggered X (min value) times to be executed. if (($internal_counter+1 >= $min_alerts) && ($times_fired+1 <= $max_alerts)){ # The new alert is between last valid time + threshold and between max/min limit to alerts in this gap of time. $times_fired++; $internal_counter++; # ---------> EXECUTE ALERT <--------------- ## SUB execute_alert (id_alert, field1, field2, field3, agent, timestamp, data) logger($pa_config,"Executing SNMP Trap alert for $agent - $alert_data",2); execute_alert($pa_config,$id_alert, $field1, $field2, $field3, $trap_agente, $timestamp, $alert_data, $dbh); # Now update the new value for times_fired, alert_fired, internal_counter and last_fired for this alert. my $query_idag2 = "update talert_snmp set times_fired = $times_fired, last_fired = '$ahora_mysql', internal_counter = $internal_counter where id_as = $id_as "; $dbh->do($query_idag2); # Now find record for trap and update "fired" status... # Due DBI doesnt return ID of a new inserted item, we now need to find ourselves # this is a crap :( my $query_idag3 = "update ttrap set alerted = 1 where timestamp = '$timestamp' and source = '$trap_agente'"; $dbh->do($query_idag3); } else { # Alert is in valid timegap but has too many alerts or too many little $internal_counter++; if ($internal_counter < $min_alerts){ # Now update the new value for times_fired & last_fired if we are below min limit for triggering this alert my $query_idag = "update talert_snmp set internal_counter = $internal_counter, times_fired = $times_fired, last_fired = '$ahora_mysql' where id_as = $id_as "; $dbh->do($query_idag); logger ($pa_config, "SNMP Alarm not fired because is below min limit",8); } else { # Too many alerts fired (upper limit) my $query_idag = "update talert_snmp set times_fired=$times_fired, internal_counter = $internal_counter where id_as = $id_as "; $dbh->do($query_idag); logger ($pa_config, "SNMP Alarm not fired because is above max limit",8); } } } } # While } # if $s_idag->finish(); }