panCommonEventDescr variable has no value when Spectrum maps the panCommonEventLog trap
search cancel

panCommonEventDescr variable has no value when Spectrum maps the panCommonEventLog trap

book

Article ID: 137620

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

We have a Palo Alto device for which we are trying to configure trap events in Spectrum.  The out of the box trap support for the "panCommonEventLog" OID 1.3.6.1.4.1.25461.2.1.3.2.0.1 is event code 0x06520001.  

However, the var bind data doesn't seem to be available in the event.  I've tried various things in the Event message configuration but can't get more than the following to display for the event, which is the default.  

Here's the event message for 0x6520001:

A "panCommonEventLog" event has occurred, from GnSNMPDev device, named wpcpano.

A config/system/firewall/threat log

panCommonEventDescr = 


However, if I remove the Palo Alto model and then view the traps be asserted on the Landscapes VNM model, then I see var bind data, so I could be missing something in getting the event message to display data.  Here's what I see on the VNM model for a similar event which has the var bind data:

Trap 6.1 directly received from unknown SNMP device with IP address XXX.XXX.XXX.XXX and SNMP community string 'XXXXXXXXXXXXXXXXX'. Trap identifier 1.3.6.1.4.1.25461.2.1.3.2.

Trap var bind data: 

OID:  1.3.6.1.2.1.1.3.0  Value:  59307530

OID:  1.3.6.1.6.3.1.1.4.1.0  Value:  1.3.6.1.4.1.25461.2.1.3.2.0.1

OID:  1.3.6.1.4.1.25461.2.1.3.2.0.1  Value:  1,2019/09/24 16:37:49,007307002338,SYSTEM,general,0,2019/09/24 16:37:49,,general,,0,0,general,informational,"Deviating device: wpclabfw1, Serial: 010401007976, Object: interface 1/5, Metric: rx-errors, Value: 84",205432,0x0,0,0,0,0,,wpcpano

Environment

Release : 10.3.2

Component : Spectrum Core / SpectroSERVER

Cause

The $SPECROOT/SS/CsVendor/Palo_Alto/AlertMap file has an incorrect varbind mapping.


# panCommonEventLog panCommonEventDescr

1.3.6.1.4.1.25461.2.1.3.2.0.1 0x06520001 1.3.6.1.4.1.25461.2.1.3.1.1(1,0)



Resolution

 

Workaround:


1) Edit the $SPECROOT/SS/CsVendor/Palo_Alto/AlertMap file.


Change

From:

1.3.6.1.4.1.25461.2.1.3.2.0.1 0x06520001 1.3.6.1.4.1.25461.2.1.3.1.1(1,0)


To:

1.3.6.1.4.1.25461.2.1.3.2.0.1 0x06520001 1.3.6.1.4.1.25461.2.1.3.2.0.1(1,0)


2) Save the file.


3) Click on "Update Event Configuration" button under the SpectroSERVER Control subview of the VNM model to load the AlerMap file change into the SpectoSERVER memory.

4) Once a new panCommonEventLog trap is processed, Spectrum will display the value of panCommonEventDescr variable properly.


 

Additional Information

 

 

How to reproduce the issue in house:


On a Linux machine with Net-SNMP agent installed, run the following syntax to send a SNMPv2 trap to the SpectroSERVER machine:

$snmptrap -v 2c -c public 10.74.240.101 '59307530' '1.3.6.1.4.1.25461.2.1.3.2.0.1' .1.3.6.1.4.1.25461.2.1.3.2.0.1 s "1,2019/09/24 16:37:49,007307002338,SYSTEM,general,0,2019/09/24 16:37:49,,general,,0,0,general,informational,\"Deviating device: wpclabfw1, Serial: 010401007976, Object: interface 1/5, Metric: rx-errors, Value: 84\",205432,0x0,0,0,0,0,,wpcpano"

Where 10.74.240.101 is the SpectroSERVER IP address.

Also added \ character before the " character



Event on the VNM model when the device is not yet modeled in Spectrum database:

Event on the device model:


 

Powered by Wolken Software