Technical Blog Post
Abstract
Mttrapd Probe 19: Probewatch for Trap IP Status and Trap Flood
Body
Overview
In conjuction with mttrapd_flood_control.rules’ logging, two new Probewatch types will aid the user to track the state of IP
status and Trap Flood on Event List.
(1) [Trap IP Status] ProbeWatch
- Triggered
o After rules functions: drop_list_add() and drop_list_remove(). (See mttrapd_flood_control.rules)
o When probe exiting, internal clean-up procedure on Drop List will send a Probewatch for each blocked IP.
Rationale: Send Probewatch to clear the Problem entries, so that *no* previous blocked IP problems stay in Event List after probe restarts.
- Alarm-like
o In the event of an IP being blocked (i.e., added to Drop List), a Probewatch is sent to ObjectServer as a Problem – a red
entry in Event List. When the IP is unblocked, another Probewatch is sent as Resolution to clear the Problem entry.
o Each blocked IP has its own Problem entry in Event List.
o AlerGroup is “Trap IP Status”.
(2) [Trap Flood] Probe Watch
- Sent from genevent() in mttrapd_flood_control.rules.
o The content of summary is the log messages in Report code section in the mentioned rules file.
- (Almost) Heartbeat-like
o Periodically generated so far as mttrapd_flood_control.rules is regularly processed. The interval is OplMttrapdReportInterval.
o AlertGroup is “Trap Flood”.
Probewatch in Event List
[Trap IP Status] Probewatch:
Before:
drop_list_add() added “9.127.xx.220” to Drop List
After:
drop_list_remove() removed “9.127.xx.220” from Drop List
Before:
When probe runs, some IPs have been blocked.
After:
Right before probe exits, each blocked IP is unblocked again as probe cleans up Drop List (IPs are removed from the list).
Note:
After a short while the resolved event entries will be cleared from Event List.
[Trap Flood] Probewatch:
The user can double click on the entry to open Event Information window to view the full summary.
UID
ibm11082217