Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

Many XML-files in traps-folder - what is spamming?

Many XML-files in traps-folder - what is spamming?

Hi,

 

 we get a large amount (16.000+) of XML-files in the traps folder and i am trying to figure out what is causing this sh*tstorm of SNMP-traps. The traps are generated from a variety of our hosts, and i cant see a pattern here. SIM is able to handle most of the trapped traps but there is never less then 4000 in the traps folder.

 

There are several types of traps but the most frequent one is;

 

<trap from="10.1.1.1" securityModel="1" securityLevel="1" securityName="public" >
<vb oid="1.3.6.1.2.1.1.3.0" value="243098918" />
<vb oid="1.3.6.1.6.3.1.1.4.1.0" value="1.3.6.1.6.3.1.1.5.5" />
<vb oid="1.3.6.1.3.1057.1" value="10.1.1.1" />
<vb oid="1.3.6.1.6.3.1.1.4.3.0" value="1.3.6.1.4.1.311.1.1.3.1.2" />
</trap>

 

Does anyone know what this trap actually is and secondly why is it sent multiple times very often?

 

SIM 7.2.0.

 

Best Regards,

Johannes

6 REPLIES
Tushar Bajpai
Trusted Contributor

Re: Many XML-files in traps-folder - what is spamming?

In case you are having any issues please apply the latest hotfix on 7.2.

Windows Box have a bad habit of sending Auth Traps.

if it helped, award me Kudos or Points. Thanks :)

\T Bajpai
HP Employee

Re: Many XML-files in traps-folder - what is spamming?

Hi Tushar,

 

installing hotfix .2 did not solve the problem.

 Stopping the SIM Service and removing all 80.000 left XML's and starting the service again we immediately get about 20 files in the traps folder that never gets handled, and the number adds up with time.

 

 

 

 

BR,

Johannes

Tushar Bajpai
Trusted Contributor

Re: Many XML-files in traps-folder - what is spamming?

Actually installing HPSIM 7.2.2 takes care of wrongly formed or malformed trap. The files if not properly formed gets deleted automatically.

 

Can you please share 1-2 xml files that are stuck in the directory.

if it helped, award me Kudos or Points. Thanks :)

\T Bajpai
HP Employee

Re: Many XML-files in traps-folder - what is spamming?

Tushar,

 

please see my initial post for an example of the trap-XML.

 

BR,

Johannes

Brad Cunningham
Trusted Contributor

Re: Many XML-files in traps-folder - what is spamming?

SIM 7.2 handles traps differently that previous version of SIM. If you install the hotfixes for SIM 7.2 it will help the issues by cleaning up the traps folders periodically.

 

 

I have seen this many times and this will eventually bring SIM to a crawl unless you install the hot fixes. The worst site I've seen had 1.8 million traps.  What I have seen cause this is where you have the authentication button checked on your management systems. This button is under the security tab under the SNMP service.

 

Send authentication trap: Specifies whether to send an SNMP trap message to all trap destinations if this SNMP host receives an SNMP request from an SNMP host or community that is not listed on the Security tab. Authentication is the process of verifying that a host name or address is valid. When the SNMP agent receives a request that does not contain a known community name or that is not sent from a member of the acceptable hosts list, the SNMP agent sends an authentication trap message to one or more trap destinations, indicating the failure of authentication. This check box is selected by default.

 

 

You could run SNMPutil on one of your managed systems to see who is trying to do a SNMPget against it.  In several cases I have seen Solar Winds ro be the culprit but it could be any tool using SNMP that would cause this.

 

 

An easy fix would be to push out a GP with the authentication flag disabled

Andrew_Haak
Honored Contributor

Re: Many XML-files in traps-folder - what is spamming?

Hello there,

i had the same problem with the authenticate traps. Just to be o. The save side i changes the mib that handles the event and set it to handle strap to no. You have to repeat this every time you get a hotfix because the hothix replaces the mibs in Sim so they get overwritten.

Kind regards,

Andrew
Kind regards,

Andrew