Using EELS

Sending SNMP traps using filters

As well as being able to execute scripts whenever filter matches are made, EELS can also send Simple Network Management Protocol (SNMP) traps. The mechanism works in the same way as for the execute-script parameter block. In the send-trap parameter block you specify the type of trap to send and the filter rule that dictates when to send the trap.

NOTE: For information on the execute-script parameter block, see ``Executing scripts using filters''.

Using this feature, you could configure EELS to send an ``Authentication failure trap'' whenever a failed attempt to telnet into your system is made:

  1. Log in as root.

  2. Add the following lines to the bottom of /etc/default/eels:
    send-trap trap_auth_fail {
        count       3;
        interval    10;
        trap-type   4;
        community   public;
        hostname    localhost;
        filter      auth_fail_filter;

    filter auth_fail_filter { include "LogSystemsSource ~ 'syslog' && EventNumber == '27'"; }

    NOTE: The send-trap block specifies that trap type 4 from the ``public'' community should be sent to localhost three times at intervals of ten seconds whenever the conditions in the filter block ``auth_fail_filter'' are satisfied. The filter block specifies that the field ``LogSystemsSource'' must contain the string ``syslog'' and ``EventNumber'' must equal ``27'' before the trap can be sent.

  3. Save /etc/default/eels.

  4. Start trap_rece(1Msnmp) by entering the following command:


  5. In a new window, stop and restart EELS by entering the following command:

    /etc/init.d/eelsrc restart

The changes are now active and if a telnet session is aborted before a successful login is made on your system, a SNMP trap is sent to the localhost and is displayed in the window in which trap_rece is active. To test this:

  1. Log in as root.

  2. Use telnet to connect to the localhost, that is:

    telnet localhost

  3. Enter a username you know will not exist on your system, such as llkkjj and a random password such as 1234.

  4. Press <Ctrl>D to exit the telnet session. Doing this generates the log entry you need to trigger the sending of the trap.

    A message similar to the one shown below is displayed in the trap_rece window.

    Community: public.
    Enterprise: unixWare.2.
    Authentication failure trap.
    Time ticks: 0.

    Name: iso.1.1.1 Type: NULL Value: NULL

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004