NetworkLens may be configured to use several different collection agents. New events are automatically inserted into the LENS_EVENT table:
Table 1. LENS_EVENT table sample data
|1000||0||3||2001-12-12 13:51:07||2001-12-13 15:00:37||192.168.23.7||NULL||SYSLOG||LOG_LOCAL7 from r1-r2.example.com 1231: Dec 12 13:51:07 MST: %LINK-3-UPDOWN: Interface Serial3/1:0, changed state to down|
|1001||0||3||2001-12-12 19:13:11||NULL||192.168.9.11||5053||System Meltdown||Kandahar POP site unavailable|
|1002||0||1||2001-12-13 14:06:23||2001-12-13 15:01:00||192.168.0.1||NULL||Interface Link||Link DOWN: 2 (Serial2/0) propPointToPointSerial|
The SYSLOG Collection Agent opens UDP port 514 and listens for SYSLOG messages. By default, SYSLOG messages have the format:
For more information, refer to the SYSLOG Collection Agent Source Code included in the appendix.
Currently, the TCP socket collection agent listens for TCP connections on port 9002. Arguments are passed in a similar manner as HTTP GET requests:
Everything is sent as one string of characters (arbitrary length). The valid character set is [0-9], [a-z], [A-Z], '=', '&', '+', '%', and '_'.
Name/value pairs are separated by a & (ampersand) character.
For each name/value pair, the name and value and separated by a = (equal sign) character.
Every non-alphanumeric character not in [0-9a-zA-Z=&+%_] (including the space) must be escaped with the %XX notation, where "XX" is the hexadecimal equivalent (using either A-F or a-f) of the character being substituted. See RFC2396 for further information. Other characters (in the set above) can be escaped, but don't have to be.
To be compatible with CGI scripts, spaces may be translated to the + (plus) character or encoded with the %20 hex equivalent.
The following names will be recognized:
Table 2. TCP Socket Collection Agent Allowed Names
|severity||unknown, alert, critical, error, warning, notification, informational, debugging|
|ref_id||an integer of 11 digits or less|
|category||any arbitrary text value|
|summary||any arbitrary text value|
Example 1. TCP Socket Interface
Example 2. TCP Socket Interface
|category||this has spaces|
|summary||System Exception: you must restart Windows.|
severity=notification&ref_id=2947123&category=this %20has%20spaces&summary=System%20Exception%3A%20yo u%20must%20restart%20Windows%2E
For more information, refer to the TCP Socket Collection Agent Source Code included in the appendix.
SNMP traps are handled in a two step process. First, the "snmptrapd" program must be running with the "-On" option. This makes the trap handler (part of the UCD SNMP package) output all of the OIDs in numeric format.
To start capturing SNMP traps, you must run the trap collector as follows:
$ su - # vi /etc/snmp/snmptrapd.conf # snmptrapd -On
The contents of the /etc/snmp/snmptrapd.conf file should be:
traphandle default /usr/sbin/lens-traphandler
The traphandler will populate the LENS_TRAP and LENS_TRAP_ARGS tables. The "lens-trap" script will parse the raw data in these two tables; and, using the "LENS_SEVERITY", "LENS_CATEGORY", and "LENS_SUMMARY" tables, will create and/or modify events in the master LENS_EVENT table.