Mttrapd Probe 19: Probewatch for Trap IP Status and Trap Flood

Body

Overview

In conjuction with mttrapd_flood_control.rules’ logging, two new Probewatch types will aid the user to track the state of IP

status and Trap Flood on Event List.

 

(1) [Trap IP Status] ProbeWatch

- Triggered

o After rules functions: drop_list_add() and drop_list_remove(). (See mttrapd_flood_control.rules)

o When probe exiting, internal clean-up procedure on Drop List will send a Probewatch for each blocked IP. 

Rationale: Send Probewatch to clear the Problem entries, so that *no* previous blocked IP problems stay in Event List after probe restarts.

- Alarm-like

o In the event of an IP being blocked (i.e., added to Drop List), a Probewatch is sent to ObjectServer as a Problem – a red

entry in Event List. When the IP is unblocked, another Probewatch is sent as Resolution to clear the Problem entry.

o Each blocked IP has its own Problem entry in Event List. 

o AlerGroup is “Trap IP Status”.

(2) [Trap Flood] Probe Watch

-  Sent from genevent() in mttrapd_flood_control.rules.

o The content of summary is the log messages in Report code section in the mentioned rules file.

 

- (Almost) Heartbeat-like

o Periodically generated so far as mttrapd_flood_control.rules is regularly processed. The interval is OplMttrapdReportInterval.

o AlertGroup is “Trap Flood”.

 

Probewatch in Event List

[Trap IP Status] Probewatch:

Before:

drop_list_add() added “9.127.xx.220” to Drop List

 

 

After:

drop_list_remove() removed “9.127.xx.220” from Drop List

 

Before:

When probe runs, some IPs have been blocked.

 

 

 

After:

Right before probe exits, each blocked IP is unblocked again as probe cleans up Drop List (IPs are removed from the list).

 

 

Note:

After a short while the resolved event entries will be cleared from Event List.

[Trap Flood] Probewatch:

 

 

 

The user can double click on the entry to open Event Information window to view the full summary.