### SOPHOS ANTIVIRUS PASSIVE CHECKS FOR NAGIOS HOWTO ###

DATE: 05-08-2010
Written by Remco Hage
RealOpenIT BV
Informaticalaan 7
2628ZD DELFT
The Netherlands
Phone: 0031 15 256 8969
email: rhage@realopenit.nl

In this readme, i describe howto reveive passive service results from Sophos Antivirus backup into Nagios.
It requires Nagios knowlegde, also you need to know how passive checks works in Nagios, and know some bash scripting.

Global view on how it works:
1) snmptrapd service receives traps from Sophos server.
2) snmptrapd sends traps to SNMPTT. SNMPTT "translate" these traps, for this translation it uses the MIBS in SNMPTT.CONF.
3) SNMPTT forwards translated traps to Nagios via $USER1/submit_check_result to the external command file wih an status code and plugin output from the sophos message.
4) Nagios recognizes this as a passice check result and display's it as service (if there is one).

# Software requirements
Suse: install snmp-net perl-snmp en snmptt via 1 click installer
ubuntu/debian: install libnet-snmp-perl libsnmp snmptrapfmt snmpd

# suse only
Set in /etc/init.d/snmptrapd:
CONFIG="-c /etc/snmp/snmptrapd.conf"
startproc $BINARY $OPTIONS $CONFIG

# Ubuntu/Debian:
make sure snmpd, snmptrapfmt and snmptt service are running.

###########################
#### CONFIGURATION SNMP ###
###########################

vi /etc/snmp/snmptrapd.conf:

traphandle default /usr/sbin/snmptt
disableAuthorization yes
donotlogtraps  yes

execute:
/etc/init.d/snmptrapd restart

### ADD MIBS to the system ###

touch TRAP-TEST-MIB.txt in /usr/share/snmp/mibs (just for testing snmptraps)

put in the file:

TRAP-TEST-MIB DEFINITIONS ::= BEGIN
	IMPORTS ucdExperimental FROM UCD-SNMP-MIB;

demotraps OBJECT IDENTIFIER ::= { ucdExperimental 990 }

demo-trap TRAP-TYPE
	STATUS current
	ENTERPRISE demotraps
	VARIABLES { sysLocation }
	DESCRIPTION "This is just a demo"
	::= 17

END

restart the snmpd services and send a test string:
snmptrap -v 1 -c public localhost TRAP-TEST-MIB::demotraps localhost 6 17 '' SNMPv2-MIB::sysLocation.0 s "Just here"

If no errors, you should see some results in /var/log/snmptrapd.log, like this:

2009-12-10 15:49:22 localhost [127.0.0.1] (via UDP: [127.0.0.1]:44084->[127.0.0.1]) TRAP, SNMP v1, community public
	.1.3.6.1.4.1.2021.13.990 Enterprise Specific Trap (17) Uptime: 2 days, 0:01:19.23
	.1.3.6.1.2.1.1.6.0 = STRING: Just here

Reveiving strings via snmp-trapd service is working...
# FOR MORE INFO: http://www.net-snmp.org/wiki/index.php/TUT:Using_and_loading_MIBS

########################
### SNMPTT TO NAGIOS ###
########################

Now we take care that snmptt sends it's results to Nagios.

touch /usr/local/nagios/libexec/eventhandlers/submit_check_result && chmod +x /usr/local/nagios/libexec/eventhandlers/submit_check_result && chown nagios.nagios /usr/local/nagios/libexec/eventhandlers/submit_check_result

put this in:

############
## SCRIPT ##
############

#!/bin/sh

# SUBMIT_CHECK_RESULT
# Written by Ethan Galstad (egalstad@nagios.org)
# Last Modified: 02-18-2002
#
# This script will write a command to the Nagios command
# file to cause Nagios to process a passive service check
# result.  Note: This script is intended to be run on the
# same host that is running Nagios.  If you want to 
# submit passive check results from a remote machine, look
# at using the nsca addon.
#
# Arguments:
#  $1 = host_name (Short name of host that the service is
#       associated with)
#  $2 = svc_description (Description of the service)
#  $3 = return_code (An integer that determines the state
#       of the service check, 0=OK, 1=WARNING, 2=CRITICAL,
#       3=UNKNOWN).
#  $4 = plugin_output (A text string that should be used
#       as the plugin output for the service check)
# 

#logger -p warning nagios_passive_test

echocmd="/bin/echo"

CommandFile="/usr/local/nagios/var/rw/nagios.cmd"

# get the current date/time in seconds since UNIX epoch
datetime=`date +%s`

# create the command line to add to the command file
cmdline="[$datetime] PROCESS_SERVICE_CHECK_RESULT;$1;$2;$3;$4"

# append the command to the end of the command file
`$echocmd $cmdline >> $CommandFile`
#### EOF #####

####################
### CONVERT MIBS ###
####################

Now convert the mibs, so SNMPTT knows wat to send:

for all mibs:
snmpttconvertmib --in=sophos-sav-mib --out=/etc/snmp/snmptt.conf --exec='/usr/local/nagios/libexec/eventhandlers/submit_check_result $r TRAP 0'


see in /etc/snmp/SNMPTT.conf you'l have something like this (only this is output from the demo mib):

EVENT demo-trap .1.3.6.1.4.1.2021.13.990.0.17 "Status Events" Normal
FORMAT This is just a demo $*
EXEC /usr/local/nagios/libexec/eventhandlers/submit_check_result $r TEST 1 "This is just a demo $*"
SDESC
This is just a demo
Variables:
  1: sysLocation
EDESC

See "submit_check_result $r TEST 1 "This is just a demo $*" is important. 
This means the hostname is $r, the service name is TEST and gets status 1 in Nagios.

Go to the Sophos Antivirus management interface and set your nagios server as SNMP server, and sent a test string (not available in newer versions, then you should dowload an eicar test virus), so you can see if the results are received.

SNMPTT recognizes the mibs/oids and send the results to the submit_check_result script
Submit_check_result processes the data, and puts it in the external command file so Nagios can understand the data.

To check if the script is being executes at all, you could put something like this in the submit_check_result for testing: logger -p WARNING SUBMIT_CHECK_RESULT_TEST
Then you should at least see something in /var/log/messages, BUT... Nagios is not regognizing the hosts/service yet... We continue..


# SEE MORE INFO: http://www.snmptt.org/docs/snmpttconvertmib.shtml
# MORE INFO: http://www.snmptt.org/docs/snmptt.shtml#Nagios-Netsaint


###############################################
### PASSIVE RESULTS FROM SYNCSORT IN NAGIOS ###
###############################################

To show trap results in Nagios create a new service template. I call it just "passive_service" here for test, but you might want to call it sophos_passive_service or anything.

# passive check template
        define service{
        name                            passive_service
        use                             generic-service
        active_checks_enabled           0
        passive_checks_enabled          1
        obsess_over_service             1
        flap_detection_enabled          1
        register                        0
        is_volatile                     0
        retain_status_information       1
        retain_nonstatus_information    1
        check_period                    24x7
        max_check_attempts              3
        normal_check_interval           60
        retry_check_interval            30
        contact_groups                  admins
        check_freshness                 1
        freshness_threshold             5000
        check_command                   give_ok
}


add to commands.cfg:

define command{
        command_name    give_ok
        command_line    /usr/local/nagios/libexec/check_dummy 0 "OK: NO ERRORS RECEIVED.."
        }


(give_ok set status as OK if Nagios not receives any results from Sophos, because there is no virus or alert in that case. 
If Nagios reveices an error via SNMP, it gives critical, but watch the freshness_threshold carefull, while the error is gone before you've noticed!!!)

In the case of "submit_check_result $r TEST 1" from the snmptt.conf, the service name is called "TEST", create a service that uses the passive service template, for the Sophos servername.

define service{
	use	passive_template
	host_name                       your-sophos-server-name
        service_description             TEST # or anything what you created for servicename above
}

execute
/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

If no errors, restart nagios. Try to send some errors etc. from Sophos, and see in the webinterface and/or logs, if you receive them.


######################################
### EXTRA INFORMATION ABOUT MIBS ETC #
######################################

### write you own mibs ###
http://www.net-snmp.org/wiki/index.php/Writing_your_own_MIBs

### Sources ###
http://xavier.dusart.free.fr/joomla/index.php/en/nagios/47-traps-snmp-dans-nagios
http://www.net-snmp.org/tutorial/tutorial-5/commands/snmptrap.html
http://technotes.twosmallcoins.com/?p=369
http://www.sage.org/lists/sage-members-archive/2005/msg03326.html