The TrapExploder utility utilizes a system of filters and destinations to propagate received traps to various destinations. The filters are configured in the trapexploder.cf file which can be found in the /etc directory on UNIX based systems or the %SystemRoot%\system32 directory on Windows systems.
The format and syntax of entries to this file should be made using the following format:
filter DateTime, SrcIP, Agent, TrapType, Specific Type, Enterprise, Action [Option]
The fields listed above are described as follows:
DateTime need be an date/time regular expression
SrcIP need be an IP address based regular expression
Agent need be an IP address based regular expression
TrapType is an integer based regular expression
SpecificType is an integer based regular expression
Enterprise is an objectid (be sure to backslash '.' components)
Action is case-sensitive keyword: file, forward, exec, break, nat, eh
Option depends on Action :
For file, option is name of file to log trap to
For forward, option is host:port combination or just host here host is an IP address or valid domain-name
For exec, option is name of script or program and args that the Trap should be passed to.
Trap script is invoked as: script [args] SrcIP agent-ip Trap-type Spec-type Enter-OID with the Trap PDU's variable bindings passed as stdin
For break, option is ignored
For nat, option is host/ipaddr that Trap agent field is changed to
Given the above descriptions, a standard filter to forward all traps received to the eHealth system ( with a hostname of ehSystem ) would appear as:
filter * * * * * * forward ehSystem
* NOTE: The ehSystem hostname must be resolvable
by the TrapExploder system or the system's
IP address can be utilized.
A more specific example where only traps with TrapType of 6, Specific Type of 16, and Enterprise OID of 546.1.1 will be forwarded to the ehealth system would appear as:
filter * * * 6 16 546\.1\.1 forward ehSystem
* NOTE: Escape characters (\) must be utilized to disable
the regular expression character match functionality
&n.bsp; of the '.' symbol present in the Enterprise OID.
To match on the first octet in the agent IP address use a ^ at the beginning of the search string as:
filter * * ^205\. * * * file /opt/EMPtrapx/logs/205.filtered
This will match on any IP that starts with 205.
For more information please consult the examples present in the trapexploder.cf file or the TrapEXPLODER user's guide..