Monitoring using SNMP
You can use a third-party SNMP manager, such as HP OpenView, to monitor Ivanti Policy Secure system health. Ivanti Policy Secure supports SNMP version 2 (v2) and SNMPv3. Ivanti Policy Secure implements a private MIB, and defines its own traps. Download the Ivanti Policy Secure MIB file and specify the appropriate information to receive the traps.
To configure the SNMP agent:
- Select System > Log/Monitoring.
- Click the SNMP tab to display the SNMP configuration page.
- Complete the configuration as described in table.
- Save the configuration.
Keep the following configuration tips in mind when you configure your SNMP manager to listen for this SNMP agent:
|
Settings |
Guidelines |
||||
|---|---|---|---|---|---|
|
MIB File |
Use the Ivanti MIB file link to download the device management information base MIB file. You add this file to your SNMP manager configuration. |
||||
|
SNMP Version |
Select your SNMP server version: v2c v3 |
||||
|
Agent Properties |
|||||
|
SNMP Queries |
Select to support SNMP queries. |
||||
|
SNMP Traps |
Select to send SNMP traps. |
||||
|
System Name |
Specify a system name. |
||||
|
System Location |
Specify a location. |
||||
|
System Contact |
Specify a system contact. |
||||
|
Community String |
· Required only for SNMPv2c. · To query the system, your network management station must send it the community string. · To stop the SNMP system, clear the community field. |
||||
|
SNMPv3 Configuration |
|||||
|
Username |
Specify the SNMPv3 username. The User-Based Security Model (USM) is the default Security Module for SNMPv3. The system supports only one user at a time to be registered with an SNMP engine. Editing the SNMPv3 user attributes overwrite any already registered SNMPv3 user. The SNMPv3 user must have read-only access on all MIBs supported by the system. SNMPv3 user configuration attributes can also be used for SNMP traps. |
||||
|
Security Level |
Selection |
Auth Protocol |
Auth Password |
Priv Protocol |
Priv Password |
|
No Auth, NoPriv |
— |
— |
— |
— |
|
|
Auth, NoPriv |
Select MD5 (HMAC-MD5-96) or SHA (HMAC-SHA-96). |
Enter an authentication password. The password can contain any ASCII characters and must be at least 8 characters in length. |
— |
— |
|
|
Auth, Priv |
Select MD5 (HMAC-MD5-96) or SHA (HMAC-SHA-96). |
Enter an authentication password. The password can contain any ASCII characters and must be at least 8 characters in length. |
Select either CBC-DES or CFB-AES-128. |
Enter a privacy password. The password can contain any ASCII characters and must be at least 8 characters in length. |
|
|
Trap Thresholds |
Setting a threshold value to 0 disables that respective trap. |
||||
|
Check Frequency |
Specify the frequency in seconds for sending traps. The default is 180 seconds. |
||||
|
Log Capacity |
Specify the percent of log space used. The default is 90%. |
||||
|
Users |
Specify the percent of user capacity used. The default is 100%. |
||||
|
Physical Memory |
Specify the percent of physical memory used. The default is 0 (not reported). |
||||
|
Swap Memory (Virtual Memory) |
Specify the percent of swap memory used. The default is 0 (not reported). We recommend you monitor swap memory to alert you to potential memory issues. The threshold for traps for physical memory usage might be reached even if the system is not experiencing any difficulties. |
||||
|
Disk |
Specify the percent of disk utilization. The default is 80%. |
||||
|
CPU |
Specify the percent of CPU utilization. The default is 0 (not reported). |
||||
|
Optional Traps |
|||||
|
Critical Log Events |
Send traps when the system logs critical events. |
||||
|
Major Log Events |
Send traps when the system logs major events. |
||||
|
Save SNMP Settings? |
Click Save Changesto update the SNMP agent configuration. The page is refreshed and displays the SNMP engine ID. If the configuration is changed to move from SNMP v2c to SNMP v3, the system generates and displays two engine IDs. |
||||
|
SNMP Servers |
|||||
|
Hostname / IP address |
Specify the hostname or IP address for the SNMP servers to which the system will send any traps it generates. |
||||
|
Port |
Specify the port for the SNMP server. Typically, SNMP uses port 162. |
||||
|
Community |
Specify the community string (if necessary). |
||||
- Add the Ivanti MIB file to the SNMP manager configuration.
- ·If using SNMPv2c, the community string configuration for the SNMP manager and SNMP agent must match.
- If using SNMPv3, the SNMPv3 user configuration for the SNMP manager and the SNMP agent must match.
- If using SNMPv3, you must specify the Authoritative Engine ID for SNMPv3 traps that was generated when you saved the SNMP agent configuration.
The table below is a reference of MIB objects for the system.
|
Object |
Description |
|---|---|
|
logFullPercent |
Returns the percentage of available file size filled by the current log as a parameter of the logNearlyFull trap. |
|
signedInWebUsers |
Returns the number of users signed in through a Web browser. |
|
signedInMailUsers |
Returns the number of users signed in to the e-mail client. |
|
blockedIP |
Returns the IP address—blocked due to consecutive failed log in attempts—sent by the iveToomanyFailedLoginAttempts trap. The system adds the blocked IP address to the blockedIPList table. |
|
authServerName |
Returns the name of an external authentication server sent by the externalAuthServerUnreachable trap. |
|
productName |
Returns the licensed product name. |
|
productVersion |
Returns the software version. |
|
fileName |
Returns the file name sent by the archiveFileTransferFailed trap. |
|
iveCpuUtil |
Returns the percentage of CPU used during the interval between two SNMP polls. This value is calculated by dividing the amount of CPU used by the amount of CPU available during the current and previous SNMP polls. If no previous poll is available, the calculation is based on the interval between the current poll and system boot. |
|
iveMemoryUtil |
Returns the percentage of memory utilized by the system at the time of an SNMP poll. The system calculates this value by dividing the number of used memory pages by the number of available memory pages. |
|
iveConcurrentUsers |
Returns the total number of users logged in. |
|
clusterConcurrentUsers |
Returns the total number of users logged in for the cluster. |
|
iveTotalHits |
Returns the total number of hits to the system since last reboot. Includes total values from iveFileHits, iveAppletHits, and iveWebHits. |
|
iveFileHits |
Returns the total number of file hits to the system since last reboot.Incremented by the Web server with each GET/POST corresponding to a file browser request. |
|
iveWebHits |
Returns the total number of hits by means of the Web interface since last reboot. Incremented by the Web server for each http request received by the system, excluding file hits, and applet hits. |
|
iveAppletHits |
Returns the total number of applet hits to the system since last reboot.Incremented by the Web server for each GET request for a Java applet. |
|
ivetermHits |
Returns the total number of terminal hits to the system since last reboot. |
|
logName |
Returns the name of the log (admin/user/event) for the logNearlyFull and iveLogFull traps. |
|
iveSwapUtil |
Returns the percentage of swap memory pages used by the system at the time of an SNMP poll. The system calculates this value by dividing the number of swap memory pages used, by the number of available swap memory pages. |
|
diskFullPercent |
Returns the percentage of disk space used in the system for the iveDiskNearlyFull trap. The system calculates this value by dividing the number of used disk space blocks by the number of total disk space blocks. |
|
blockedIPList |
Returns a table with the 10 most recently blocked IP addresses. The blockedIP MIB adds blocked IP addresses to this table |
|
ipEntry |
An entry in the blockedListIP table containing a blocked IP address and its index (see IPEntry). |
|
IPEntry |
The index (ipIndex) and IP address (ipValue) for an entry in the blockedIPList table. |
|
ipIndex |
Returns the index for the blockedIPList table. |
|
ipValue |
A blocked IP address entry in the blockedIPList table. |
|
logID |
Returns the unique ID of the log message sent by the logMessageTrap trap. |
|
logType |
Returns a string sent by the logMessageTrap trap stating whether a log message is major or critical. |
|
logDescription |
Returns a string sent by the logMessageTrap trap stating whether a log message is major or critical. |
|
Name |
Returns the name of a virtual system. |
|
ocspResponderURL |
Returns the name of an OCSP responder. |
|
fanDescription |
Returns the status of the system fans. |
|
psDescription |
Returns the status of the system power supplies. |
|
raidDescription |
Returns the status of the system RAID device. |
|
iveLogNearlyFull |
The log file (system, user access, or administrator access) specified by the logName parameter is nearly full. When this trap is sent, the logFullPercent (%of log file full) parameter is also sent. You can configure this trap to be sent at any percentage. To disable this trap, set the Log Capacity trap threshold to 0%. The trap’s default value is 90%. When SNMP traps are enabled, the iveLogNearlyFull and iveLogFull traps are sent when the log files are 90% full and 100% full respectively, even if the threshold is set to 0 (disabled). |
|
iveLogFull |
The log file (system, user access, or administrator access) specified by the logName parameter is completely full. NOTE: When SNMP traps are enabled, the iveLogNearlyFull and iveLogFull traps are sent when the log files are 90% full and 100% full respectively, even if the threshold is set to 0 (disabled). |
|
iveMaxConcurrentUsersSignedIn |
Maximum number or allowed concurrent users are currently signed in. You can configure this trap to be sent at any percentage. To disable this trap, set the Users trap threshold to 0%. The trap’s default value is 100%. |
|
iveTooManyFailedLoginAttempts |
A user with a specific IP address has too many failed sign-in attempts. Triggered when a user fails to authenticate according to the settings for the Lockout options on the Security Options tab. When the system triggers this trap, the system also triggers the blockedIP (source IP of log in attempts) parameter. |
|
externalAuthServerUnreachable |
An external authentication server is not responding to authentication requests. When the system sends this trap, it also sends the authServerName (name of unreachable server) parameter. |
|
iveStart |
The system has just been turned on. |
|
iveShutdown |
The system has just been shut down. |
|
iveReboot |
The system has just been rebooted. |
|
archiveServerUnreachable |
The system is unable to reach the configured archive server. |
|
archiveServerLoginFailed |
The system is unable to log into the configured archive server. |
|
archiveFileTransferFailed |
The system is unable to successfully transfer files to the configured archive server. When the system sends this trap, it also sends the fileName parameter. |
|
iveRestart |
Supplies notification that the system has restarted according to the administrator’s instruction. |
|
iveDiskNearlyFull |
Supplies notification that the system disk drive is nearly full. When the system sends this trap, it also sends the diskFullPercent parameter. You can configure this trap to be sent at any percentage. To disable this trap, set the Disk trap threshold to 0%. This trap’s default value is 80%. |
|
iveDiskFull |
Supplies notification that the system disk drive is full. |
|
logMessageTrap |
The trap generated from a log message. When the system sends this trap, it also sends the logID, logType, and logDescription parameters. |
|
memUtilNotify |
Supplies notification that the system has met the configured threshold for memory utilization. To disable this trap, set the Physical Memory trap threshold to 0. The threshold is 0%, by default. |
|
cpuUtilNotify |
Supplies notification that the system has met the configured threshold for CPU utilization. To disable this trap, set the CPU trap threshold to 0. The threshold is 0%, by default. |
|
swapUtilNotify |
Supplies notification that the system has met the configured threshold for swap file memory utilization. To disable this trap, set the Swap Memory trap threshold to 0. The threshold is 0%, by default. |
|
iveFanNotify |
Supplies notification that the status of the fans has changed. |
|
ivePowerSupplyNotify |
Supplies notification that the status of the power supplies has changed. |
|
iveRaidNotify |
Supplies notification that the status of the RAID device has changed. |
|
iveNetExternalInterfaceDownTrap (nicEvent) |
Supplies the type of event that brought down the external interface. The nicEvent parameter can contain values of “external” for an external event and “admin” for an administrative action. |
|
iveNetInternalInterfaceDownTrap (nicEvent) |
Supplies the type of event that brought down the internal interface. The nicEvent parameter can contain values of “external” for an external event and “admin” for an administrative action. |
|
iveClusterDisableNodeTrap (clusterName,nodeList) |
Supplies the name of the cluster that contains disabled nodes, as well as a string containing the names of all disabled nodes. Node names are separated by white space in the string. |
|
iveClusterChangedVIPTrap(vipType, currentVIP, newVIP) |
Supplies the status of a virtual IP for the cluster. The vipType indicates whether the changed VIP was external or internal. The currentVIP contains the VIP prior to the change, and newVIP contains the VIP after the change. |
|
iveNetManagementInterfaceDownTrap (nicEvent) |
Supplies the type of event that brought down the management port. The nicEvent parameter can contain values of “external” for an external event and “admin” for an administrative action. |
|
iveClusterDelete(nodeName) |
Supplies the name of the node on which the cluster delete event was initiated. |
|
pclsRemainingGracePeriod |
Number of days remaining in grace period for contacting PCLS |
|
iveMaxConcurrentUsersLicenseCapacity |
Total licensed concurrent users capacity |